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Abstract 

A  new  technique  for  proving  timing  properties  for  timing-based  algorithms  is  described;  it 
is  an  extension  of  the  mapping  techniques  previously  used  in  proofs  of  safety  properties  for 
asynchronous  concurrent  systems.  The  key  to  the  method  is  a  way  of  representing  a  system 
with  timing  constraints  as  an  automaton  whose  state  includes  predictive  timing  information. 
Timing  assumptions  and  timing  requirements  for  the  system  are  both  represented  in  this  way. 
A  multivalued  mapping  from  the  “assumptions  automaton”  to  the  “requirements  automaton”  is 
then  used  to  show  that  the  given  system  satisfies  the  requirements.  The  technique  is  illustrated 
with  two  simple  examples,  a  resource  manager  and  a  signal  relay.  The  technique  is  shown  to 
be  complete,  that  is,  if  some  automaton  with  certain  timing  assumptions  has  certain  timing 
behavior,  than  there  exists  a  mapping  from  the  “assumptions  automaton”  to  the  “requirements 
automaton”. 

Keywords:  Timing  properties,  timing-based  algorithms,  formal  specification,  formal  verifica¬ 
tion,  assertional  reasoning,  possibilities  mappings,  timed  automata,  I/O  automata. 


1  Introduction 


Assertiona!  reasoning  is  a  very  useful  technique  for  proving  safety  properties  of  sequential  and 
concurrent  algorithms.  This  proof  method  involves  describing  the  algorithm  of  interest  as  a 
state  machine,  and  defining  a  predicate  known  as  an  assertion  on  the  states  of  the  machine. 
One  proves  inductively  that  the  assertion  is  true  of  all  the  states  that  are  reachable  in  a 
computation  of  the  machine,  i.e.,  that  it  is  an  invariant  of  the  machine.  The  assertion  is 
defined  so  that  it  implies  the  safety  property  to  be  proved. 

One  kind  of  assertional  reasoning  uses  a  mapping  to  describe  a  correspondence  between 
the  given  algorithm  and  a  higher-level  algorithm  used  as  a  specification  of  correctness.  (See, 
for  example,  [La83,  Ly86,  LT87].)  Such  mappings  may  be  single- valued  or  multivalued. 

So  far,  assertional  reasoning  has  been  used  primarily  to  prove  properties  of  sequential  algo¬ 
rithms  and  synchronous  and  asynchronous  concurrent  algorithms.  It  would  also  be  nice  to  use 
this  technique  to  prove  properties  of  concurrent  algorithms  whose  operation  depends  on  time, 
e.g.,  algorithms  that  use  clocks  that  tick  at  approximately  predictable  rates.  Also,  the  kinds  of 
properties  generally  proved  using  assertional  reasoning  have  been  “ordinary”  safety  properties; 
it  would  be  nice  to  use  similar  methods  to  prove  timing  properties  (upper  and  lower  bounds 
on  time)  for  algorithms  that  have  timing  assumptions.  For  example,  predictable  performance 
is  often  a  desirable  characteristic  of  real-time  systems  [SR89];  assertional  techniques  could  be 
very  helpful  in  proving  such  performance  properties. 

In  this  paper,  we  describe  one  way  in  which  assertional  reasoning  can  be  used  to  prove  tim¬ 
ing  properties  for  algorithms  that  have  timing  assumptions.  Our  method  involves  constructing 
a  multivalued  mapping  from  an  automaton  representing  the  given  algorithm  to  another  au¬ 
tomaton  representing  the  timing  requirements.  The  key  to  our  method  is  a  way  of  representing 
a  system  with  timing  constraints  as  an  automaton  whose  state  includes  predictive  timing  in¬ 
formation.  Timing  assumptions  and  timing  requirements  for  the  system  are  both  represented 
in  this  way,  and  the  mappings  we  construct  map  from  the  “assumptions  automaton”  to  the 
“requirements  automaton”. 

The  formal  model  we  use  to  describe  our  method  is  the  timed  automaton  model,  a  slight 
variant  of  the  time  constrained  automaton  model  of  [MMT88].  We  use  this  model  to  state 
the  requirements  to  be  satisfied,  to  define  the  basic  architectural  and  timing  assumptions, 
to  describe  the  algorithms,  and  to  prove  their  correctness  and  timing  properties.  A  timed 
automaton  is  a  pair  ( A,b ),  consisting  of  an  I/O  automaton  [LT87,  LT89],  together  with  a 
boundmap,  which  is  a  formal  description  of  the  timing  assumptions  for  the  components  of  the 
system.  We  introduce  the  notion  of  a  timing  condition  to  state  upper  and  lower  bounds  on 
the  difference  between  the  times  at  which  certain  events  or  states  appear  in  a*'  execution;  the 
conditions  imposed  by  a  boundmap  are  timing  conditions  of  a  particular  i  i  An  automaton 
and  a  set  of  timing  conditions,  (in  particular,  a  timed  automaton)  generates  a  set  of  timed 
executions  and  a  corresponding  set  of  timed  behaviors. 

While  convenient  for  specifying  timing  assumptions  and  requirements,  timed  automata  are 
not  directly  suited  for  carrying  out  assertional  proofs  about  timing  properties,  because  tim- 
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ing  constraints  are  described  by  specially-defined  timing  conditions  rather  than  being  built 
into  the  automaton  itself.  We  therefore  require  a  way  of  incorporating  timing  conditions  into 
an  automaton  definition.  We  do  this  by  means  of  a  general  construction  of  an  automaton 
time(A,U),  for  a  given  timed  automaton  A,  and  a  set  U  of  timing  conditions.  The  automaton 
time(A,U)  is  an  ordinary  I/O  automaton  (not  a  timed  automaton)  whose  state  includes  pre¬ 
dictive  information  describing  the  first  and  last  times  at  which  various  events  can  next  occur; 
this  information  is  designed  to  enforce  the  timing  conditions  in  U. 

In  the  special  case  that  U  represents  the  conditions  imposed  by  a  boundmap  b  for  A , 
time{A,U)  is  the  automaton  time(A)  defined  in  [AtL89];  this  is  denoted  by  lime(A,b)  in  this 
paper. 

The  timing  requirements  to  be  proved  for  an  algorithm  described  as  a  timed  automaton, 
(A,  6),  are  described  as  a  set  of  timing  conditions,  U,  for  A.  We  define  the  requirements 
automaton  to  be  time(A,U).  Thus,  we  build  into  the  state  of  the  requirements  automaton 
predictive  information  about  the  first  and  last  times  at  which  certain  events  of  interest  can 
next  occur. 

The  problem  of  showing  that  a  given  algorithm  (A,b)  satisfies  the  timing  requirements 
is  then  reduced  to  that  of  showing  that  any  behavior  of  the  automaton  time(A,  b )  is  also  a 
behavior  of  time(A^U).  We  do  this  by  using  invariant  assertion  techniques;  in  particular,  we 
demonstrate  a  multivalued  mapping  from  time(A,b )  to  time(A,U). 

In  order  to  demonstrate  the  use  of  our  technique,  we  apply  it  to  two  simple  examples.  The 
first  example  is  a  timing-dependent  system  consisting  of  two  concurrently-operating  compo¬ 
nents,  which  we  call  a  clock  and  a  manager.  The  clock  ticks  at  an  approximately  known  rate. 
The  manager  monitors  the  clock  ticks,  and  after  a  certain  number  have  occurred,  it  issues  a 
GRANT  (of  a  resource).  It  then  continues  counting  ticks;  whenever  sufficiently  many  have 
occurred  since  the  previous  GRANT  event,  the  manager  issues  another  GRANT.  We  give 
careful  proofs  of  upper  and  lower  bounds  on  the  amount  of  time  prior  to  the  first  GRANT 
event  and  in  between  each  successive  pair  of  GRANT  events. 

The  second  example  is  an  asynchronous  (not  timing-dependent)  system  consisting  of  a 
“line”  of  processes.  Each  process  waits  to  receive  a  SIGNAL  from  the  process  at  its  left  and 
then  sends  a  SIGNAL  to  the  process  at  its  right.  We  give  careful  proofs  of  upper  and  lower 
bounds  on  the  time  to  propagate  a  SIGNAL  from  the  left  end  to  the  right  end  of  the  line. 
Both  of  these  examples  are  extremely  simple;  however,  the  ideas  they  embody  also  appear  in 
many  more  realistic  examples. 

The  mappings  we  provide  for  both  of  these  examples  have  a  particularly  interesting  and 
simple  form  -  a  set  of  inequalities  relating  the  time  bounds  to  be  proved  to  those  that  can  be 
computed  from  the  state.  These  inequalities  contain  information  about  how  the  bounds  are  to 
be  satisfied. 

Another  interesting  aspect  of  the  second  example  is  that  the  proof  is  carried  out  using  a 
hierarchy  of  automata,  rather  than  just  a  pair  of  automata;  the  given  system  is  the  lowest  level, 
and  the  requirements  automaton  is  the  highest  level  in  the  hierarchy.  We  define  a  mapping 
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for  each  level  in  the  hierarchy;  the  composition  of  the  entire  collection  of  mappings  is  the 
mapping  needed  to  show  correctness.  The  hierarchical  proof  is  especially  interesting  because 
its  assertional  reasoning  corresponds  closely  to  the  more  “operational”  reasoning  that  might 
be  used  in  an  alternative  proof  based  on  recurrences. 

Technically,  mapping  techniques  of  the  sort  used  in  this  paper  axe  only  capable  of  proving 
safety  properties,  but  not  liveness  properties.  Timing  properties  have  aspects  of  both  safety 
and  liveness.  A  timing  lower  bound  asserts  that  an  event  cannot  occur  before  a  certain  amount 
of  time  has  elapsed;  a  violation  of  this  property  is  detectable  after  a  finite  prefix  of  a  timed 
execution,  and  so  a  timing  lower  bound  can  be  regarded  as  a  safety  property.  A  timing  upper 
bound  asserts  that  an  event  must  occur  before  a  certain  amount  of  time  has  elapsed.  This 
can  be  regarded  as  making  two  separate  claims:  that  the  designated  amount  of  time  does  in 
fact  elapse  (a  liveness  property),  and  that  that  time  cannot  elapse  without  the  event  having 
occurred  (a  safety  property).  In  this  paper,  we  assume  the  liveness  property  that  time  increases 
without  bound,  so  that  all  the  remaining  properties  that  need  to  be  proved  in  order  to  prove 
either  upper  or  lower  time  bounds  are  safety  properties.  Thus,  our  mapping  technique  provides 
complete  proofs  for  timing  properties  without  requiring  any  special  techniques  (e.g.,  variant 
functions  or  temporal  logic  methods)  for  arguing  liveness. 

We  show  that  this  method  is  complete:  If  every  behavior  of  (A,b)  is  also  a  behavior  of 
time(A,H)  then  is  there  necessarily  a  strong  possibilities  mapping  (in  the  form  of  inequali¬ 
ties)  from  time(A,b )  to  time(A,U).  Related  completeness  results  for  the  usage  of  refinement 
mappings  to  prove  properties  of  non  timing-based  algorithms  were  proved  in  [AbL88]  and 
[M89]. 

There  has  been  some  prior  work  on  using  assertional  reasoning  to  prove  timing  properties. 
In  particular,  Haase  [H81],  Shankar  and  Lam  [SL87],  Tel  [T88],  Schneider  [S88],  Lewis  [Le89] 
and  Shaw  [S89]  have  all  developed  models  for  timing-based  systems  that  incorporate  time 
information  into  the  state,  and  have  used  invariant  assertions  to  prove  timing  properties.  In 
[T88]  and  [Le89],  in  fact,  the  information  that  is  included  is  similar  to  ours  in  that  it  is  also 
predictive  timing  information  (but  not  exactly  the  same  information  as  ours).  None  of  this 
work  has  been  based  on  mappings,  however. 

Several  other,  quite  different  formal  approaches  to  proving  timing  properties  have  also  been 
developed.  Some  representative  papers  describing  these  other  methods  are  [BH81],  [KVR83], 
[JM87],  [Ho87],  [Zw88],  [JS88],  and  [GF88]. 

The  rest  of  the  paper  is  organized  as  follows.  Section  2  contains  a  description  of  the  un¬ 
derlying  formal  models:  I/O  automata,  timed  automata  and  timing  conditions.  Section  3 
contains  the  general  construction  used  to  produce  the  time(A,U)  automata,  and  some  prop¬ 
erties  of  these  automata.  Section  4  contains  our  first  example,  a  simple  resource-granting 
manager  using  a  clock;  the  section  contains  a  description  of  the  algorithm,  a  description  of  the 
corresponding  requirements  automaton,  and  a  correctness  proof.  Section  5  contains  a  method 
of  handling  systems  with  finite  executions.  Section  6  contains  the  second  example  -  a  simple 
signal  propagation  system,  with  a  treatment  similar  to  the  first  example.  Section  7  contains  a 
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proof  of  the  completeness  of  our  method.  We  conclude  with  a  discussion  in  Section  8.  Some 
of  the  more  technical  proofs  are  relegated  to  an  Appendix. 


2  Formal  Model 

In  this  section,  we  present  the  definitions  for  the  underlying  formal  model.  In  particular,  we 
define  I/O  automata,  timed  automata  and  timing  conditions.  We  also  present  some  of  their 
relevant  properties. 

2.1  I/O  Automata 

We  begin  by  summarizing  some  of  the  key  definitions  for  the  I/O  automaton  model.  We  refer 
the  reader  to  [LT87,  LT89]  for  a  complete  presentation  of  the  model  and  its  properties. 

An  I/O  automaton  consists  of  the  following  components:  acts(A),  a  set  of  actions ,  classified 
as  output ,  input  and  internal  (input  and  output  actions  are  called  external );  states(A),  a  set  of 
states,  including  a  distinguished  subset,  start(A),  of  start  states;  steps(A),  a  set  of  steps,  where 
a  step  is  defined  to  be  a  (state,  action,  state )  triple;  and  part(A),  a  partition  of  the  locally 
controlled  (output  and  internal)  actions  into  equivalence  classes;  the  partition  groups  together 
actions  that  are  to  be  thought  of  as  under  the  control  of  the  same  underlying  process. 

An  action  7r  is  said  to  be  enabled  in  a  state  s'  provided  that  there  is  a  step  of  the  form 
(s',7r,s).  An  automaton  is  required  to  be  input  enabled,  which  means  that  every  input  action 
must  be  enabled  in  every  state.  For  any  set  II  C  acts(A),  we  denote  by  enabled(A,  II)  the  set 
of  states  of  A  in  which  some  action  in  II  is  enabled,  and  by  disabled(A,U)  be  the  set  of  all 
states  of  A  not  in  enabled(A,  II),  that  is,  disabled(A,U)  =  states(A)  \  enabled(A,U). 

An  execution  fragment  of  an  I/O  automaton  A  is  a  sequence  (finite  or  infinite)  of  alternating 
states  and  actions 

50,  ^*1 , 5| )  .  .  .  y  3*4*1 ,  ft ii  3*,  •  ■  • 

where  for  every  i,  (s,_x, zr, , s,)  €  steps(A).  (If  the  sequence  is  finite,  then  it  is  required  to 
end  with  a  state.)  An  execution  is  an  execution  fragment  with  so  €  start(A).  The  schedule 
of  an  execution  a  is  the  subsequence  consisting  of  the  actions  appearing  in  a  and  is  denoted 
sched(a).  The  behavior  of  an  execution  a  of  A  is  the  subsequence  of  a  consisting  of  external 
actions  appearing  in  a  and  is  denoted  beh(a).  The  schedules  and  behaviors  of  A  are  just  those 
of  the  executions  of  A. 

Concurrent  systems  are  modeled  by  compositions  of  I/O  automata,  as  defined  in  [LT87, 
LT89].  In  order  to  be  composed,  automata  must  be  strongly  compatible;  this  means  that  no 
action  can  be  an  output  of  more  than  one  component,  that  internal  actions  of  one  component 
are  not  shaicd  by  any  other  component,  and  that  no  action  is  shared  by  infinitely  many 
components.  The  result  of  such  a  composition  is  another  I/O  automaton.  The  hiding  operator 
can  be  applied  to  reclassify  output  actions  as  internal  actions. 
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2.2  Timed  Automata 


In  this  subsection,  we  augment  the  I/O  automaton  model  to  allow  discussion  of  timing  as¬ 
sumptions.  The  treatment  here  is  similar  to  the  one  described  in  [AtL89]  and  is  a  special  case 
of  the  definitions  proposed  earlier  in  [MMT88]. 

A  boundmap  for  an  I/O  automaton  A  is  a  a  mapping  that  associates  a  closed  subinterval 
of  [0,oo]  with  each  class  in  part(A),  where  the  lower  bound  of  each  interval  is  not  oo  and  the 
upper  bound  is  nonzero.  Intuitively,  the  interval  associated  with  a  class  C  by  the  boundmap 
represents  the  range  of  possible  lengths  of  time  between  successive  times  when  C  “gets  a 
chance”  to  perform  an  action.  We  sometimes  use  the  notation  b((C)  to  denote  the  lower 
bound  assigned  by  boundmap  b  to  class  C,  and  bu(C )  for  the  corresponding  upper  bound.  A 
timed  automaton  is  a  pair  (A, 6),  where  A  is  an  I/O  automaton  and  6  is  a  boundmap  for  A. 

We  require  notions  of  “timed  execution”,  “timed  schedule”  and  “timed  behavior”  for  timed 
automata,  corresponding  to  executions,  schedules  and  behaviors  for  ordinary  I/O  automata. 
These  will  all  include  time  components.  We  begin  by  defining  the  basic  type  of  sequence  that 
underlies  the  definition  of  a  timed  execution. 

A  timed  sequence  (for  an  I/O  automaton  A)  is  a  (finite  or  infinite)  sequence  of  alternating 
states  and  (action, time)  pairs, 


ending  in  a  state  if  the  sequence  is  finite,  where  the  states  are  from  states(A)  and  the  actions 
are  from  acfs(A).1  Define  to  —  0.  The  times  to,ti,...  are  required  to  be  nondecreasing,  and  if 
the  sequence  is  infinite  then  the  times  are  also  required  to  be  unbounded.  For  any  finite  timed 
sequence  a  define  te„d(a )  to  be  the  time  of  the  last  event  in  a,  if  a  contains  any  (action, time) 
pairs,  or  0,  if  a  contains  no  such  pairs.  We  denote  by  ord(a)  (the  “ordinary”  part  of  a)  the 
sequence 

SO!7rl)Sl»7r2,~-  > 

i.e.,  a  with  time  components  removed. 

Definition  2.1  Suppose  (A,  6)  is  a  timed  automaton.  Then  a  timed  sequence  a  is  a  timed 
execution  of  (A,  6)  provided  that  ord(a)  is  an  execution  of  A  and  a  satisfies  the  following 
conditions,  for  each  class  C  £  part(A)  and  every  i. 

1.  Suppose  bu(C )  <  oo.  7/s,  £  enabled(A,C )  and  either  i  =  0  or  £  disabled(A.C) 

or  7r ,■  £  C,  then  there  exists  j  >  i  with  tj  <  t,  +  bu(C)  such  that  til'  r  7r;  £  C  or 
Sj  £  disabled(A,C). 

2.  If  Si  €  enabled(A,C )  and  either  i  =  0  or  \  £  disabled(A,C)  or  tt,  £  C,  then  there 

does  not  exist  j  >  i  with  tj  <  ti  +  b((C)  and  n j  in  C. 

JWe  usually  omit  reference  to  the  automaton  A,  as  it  is  clear  from  the  context. 


5 


The  first  condition  says  that,  starting  from  when  an  action  in  C  occurs  or  first  gets  enabled, 
within  time  bu(C)  either  some  action  in  C  occurs  or  there  is  a  point  at  which  no  such  action 
is  enabled.  Note  that  if  bu(C )  =  oo,  no  upper  bound  requirement  is  imposed.  The  second 
condition  says  that,  again  starting  from  when  an  action  in  C  occurs  or  first  gets  enabled,  no 
action  in  C  can  occur  before  time  b((C)  has  elapsed. 

The  timed  schedule  of  a  timed  execution  of  a  timed  automaton  (A,  b)  is  the  subsequence 
consisting  of  the  (action, time)  pairs,  and  the  timed  behavioris  the  subsequence  consisting  of  the 
(action, time)  pairs  for  which  the  action  is  external.  The  timed  schedules  and  timed  behaviors 
of  (A,  b)  are  just  those  of  the  timed  executions  of  ( A,b ). 

We  model  each  timing-dependent  concurrent  system  as  a  single  timed  automaton  ( A,b ), 
where  A  is  a  composition  of  ordinary  I/O  automata  (possibly  with  some  output  actions 
hidden).2 

2.3  Timing  Conditions 

The  conditions  imposed  by  a  boundmap  are  appropriate  for  describing  the  timing  assumptions 
of  many  systems.  However,  in  order  to  describe  the  timing  requirements  that  are  to  be  proved 
for  these  systems,  it  is  convenient  to  generalize  these  conditions.  For  example,  a  bound  is  often 
required  on  the  time  between  two  particular  events,  e.g.,  a  request  and  a  corresponding  grant. 
It  is  convenient  to  have  a  notation  that  permits  explicit  description  of  such  a  condition,  without 
reference  to  the  underlying  partition  classes.  Therefore,  in  this  subsection,  we  generalize  the 
conditions  expressed  by  boundmaps  to  more  general  “timing  conditions”. 

Let  A  be  an  I/O  automaton.  A  timing  conditional  A  is  a  tuple  of  the  form  {T,tart-  Tttep,b,n,S). 
where: 

•  T,tart  Q  start(A)  and  T)itv  C  steps(A),  are  the  triggers. 

•  b  is  a  closed  interval  of  the  form  [&z,6u],  where  b(  ^  oo  and  bu  ^  0, 

•  n  C  acts(A),  and 

•  SC  states(A)  is  the  disabling  set. 

We  require  that  a  timing  condition  satisfy  the  following  technical  conditions: 

1.  T,tari  n  S  =  0,  and 

2.  if  (s',7r,s)  G  T,up  then  $  £  S. 

2An  equivalent  way  of  looking  at  each  system  is  as  a  composition  of  timed  automata.  An  appropriate 
definition  fur  a  composition  of  timed  automata  is  developed  in  [MMT88],  together  with  theorems  showing  the 
equivalence  of  the  two  viewpoints. 
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A  timing  condition  (T,iart,T,tep,b,  11,5)  is  designed  to  specify  upper  and  lower  bounds  on 
the  time  until  the  next  occurrence  of  an  event  in  the  action  set  II,  measured  from  certain 
points  during  an  execution;  the  particular  bounds  axe  given  by  the  interval  b.  The  trigger 
T,tart  specifies  those  start  states  from  which  we  wish  to  begin  measuring  the  time,  while  the 
trigger  Tstep  specifies  those  steps  after  which  we  wish  to  begin  measuring.  In  both  cases,  the 
numerical  bounds  are  the  same. 

Primarily  because  we  wish  this  generalization  to  include  conditions  imposed  by  boundmaps 
as  a  special  case,  we  must  include  a  way  of  disabling  the  bound  measurements.  (In  the  case 
of  boundmaps,  when  all  the  actions  in  a  partition  class  become  disabled  simultaneously,  the 
bound  measurement  also  becomes  disabled.)  Thus,  the  disabling  set  S  is  defined  to  be  a  set  of 
states  that  cause  the  bound  measurement  to  become  suspended.  Conditions  1.  and  2.  simply 
say  that  the  disabling  set  does  not  include  any  states  that  the  triggers  designate  as  states  in 
which  to  start  the  bound  measurement. 

We  sometimes  write  the  timing  condition  {T,tart ,  T,tep ,  6,  II ,  5)  in  the  form 

(T,<art,W^(n,s). 

A  timing  condition  can  be  used  to  specify  only  a  lower  bound  or  only  an  upper  bound,  by 
making  the  other  bound  trivial  (0  for  lower  bounds,  oo  for  upper  bounds). 

Now  we  define  what  it  means  for  a  timed  sequence  to  satisfy  a  timing  condition.  The 
definition  is  closely  related  to  the  definition  we  gave  earlier  of  a  timed  execution;  we  will  show 
the  precise  connection  in  Lemma  2.1. 

Definition  2.2  Let  a  be  the  timed  sequence  So,(iri,ti),Si,....  Then  a  satisfies  a  timing  con¬ 
dition  (T,tari,T,tep)  (II,  5)  if  the  following  conditions  hold: 

1.  Suppose  bu  <  oo. 

(a)  If  so  G  T,tart  then  there  exists  j  >  0  with  tj  <  bu  such  that  either  Kj  €  II  or  s3  G  S. 

(b)  If(si-i,iTi,8i)  G  T,iep  then  there  exists  j  >  i  with  tj  <  tt+bu  such  that  either  Xj  €  II 
or  Sj  G  S . 

2.  (a)  If  so  G  T,tart  and  if  there  exists  j  >  0  with  tj  <  b(  such  that  i Tj  G  II,  then  there 

exists  fc,0  <  k  <  j,  such  that  s*  G  S. 

(b)  If  (s,_i ,  7r,' ,  S|)  G  T,up  and  if  there  exists  j  >  i  with  tj  <  t{  +  b(  such  that  i Tj  G  II, 
then  there  exists  k,i  <  k  <  j,  such  that  s*  G  5. 

Let  Mbea  set  of  timing  conditions  for  an  I/O  automaton  A.  We  say  that  a  timed  sequence 
a  is  a  timed  execution  of  (A,ZV)  provided  that  ord(a)  is  an  execution  of  A  and  a  satisfies  every 
timing  condition  U  G  U. 
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To  justify  this  new  use  of  the  term  “timed  execution”,  and  as  an  example  of  the  use  of 
timing  conditions,  we  show  how  to  express  the  notion  of  “timed  execution”  of  ( A,b )  in  terms  of 
timing  conditions.  Given  an  arbitrary  timed  automaton  (A,  6),  we  define  the  set  Ub  of  timing 
conditions  that  are  associated  with  b.  For  each  class  C  in  the  partition  of  A,  Ub  includes  one 

timing  condition,  cond(C)  =  ( Tatart(C),Tatep(C ))  b&  (11(C),  5(C)),  defined  as  follows. 

•  T,tart(C)  =  start(A)  fl  enabled(A,C),  that  is,  the  set  of  start  states  of  A  in  which  some 
action  from  C  is  enabled, 

•  T,tep{C)  is  the  set  of  steps  (s',7r,s)  of  A  such  that  s  £  enabled(A,C)  and  either  s'  £ 
disabled(A ,  C)  or  -k  £  C, 

•  n(C)  =  C,  and 

•  5(C)  =  disabled(A,C). 

Note  that  this  definition  satisfies  the  two  requirements  for  timing  conditions. 

Lemma  2.1  Suppose  (.4,6)  is  a  timed  automaton.  Let  a  be  a  timed  sequence  and  suppose  that 
ord(a)  is  an  execution  of  A.  Then  the  following  two  statements  are  equivalent. 

1.  a  is  a  timed  execution  of  ( A,b ). 

2.  For  every  class  C  £  part(A),  a  satisfies  the  timing  condition  cond(C). 

Proof:  Let 

C*  =  3o,(7Tl,fl),>Sl,..  . 

be  a  timed  sequence  such  that  ord(a)  is  an  execution  of  A.  First  assume  that  a  is  a  timed 
execution  of  {A, b).  Let  C  £  part(A)\  we  show  that  a  satisfies  cond(C).  The  upper  bound  is 
a  simple  substitution.  For  the  lower  bound  we  check  only  triggering  start  states,  the  case  of 
triggering  steps  is  similar.  If  so  £  T,iar,(C),  then  s0  £  enabled(A,C).  Assume  that  £  C,  for 
some.;  >  0.  Then  from  Condition  2.  of  Definition  2.1  it  follows  that  tj  >  b((C),  which  suffices. 

Now  assume  that  a  satisfies  cond(C)  for  each  C  £  part{C)\  we  show  that  a  is  a  timed 
execution  of  (A,  6).  Again,  the  upper  bound  holds  easily  and  the  only  interesting  case  to  verify 
is  the  lower  bound.  Assume,  by  way  of  contradiction,  that  for  some  class  C  £  part(A ),  there 
exists  an  i  >  0,  such  that  s,  £  enabled{A,C)  and  either  i  =  0  or  s,_i  e  disabled{A,C)  or 
■Ki  £  C,  and  that  there  exists  j  >  i,  such  that  tj  <  ti  +  be(C)  and  n j  £  C.  Since  a  satisfies 
cond(C ),  and  since  5(C)  =  disabled(A,C),  it  follows  that  there  is  some  k,  i  <  k  <  j,  such 
that  sk  £  disabled(A,C).  Let  k0  be  the  largest  such  k.  But  then  (-%.*% s^-h)  £  TsUp(C). 
h  <  4o+i  +  MO  and  there  is  no  k1,  k0  <  k'  <  j  such  that  sk<  £  5(C);  this  contradicts  the 
fact  that  a  satisfies  cond(C).  I 
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Lemma  2.1  implies  the  following  corollary. 


Corollary  2.2  Suppose  ( A,b )  is  a  timed  automaton.  Then  a  timed  sequence  a  is  a  timed 
execution  of  (A,b )  if  and  only  if  it  is  a  timed  execution  of(AMb)- 

We  note  that  the  definition  we  use  for  timing  condition  may  not  be  the  most  general 
condition  needed  to  capture  all  interesting  timing  requirements.  It  does  capture  many,  however; 
we  will  have  more  to  say  about  this  matter  in  the  conclusions  section. 


3  Incorporating  Timing  Conditions  into  I/O  Automata 

In  order  to  use  invariant  assertion  techniques  to  reason  about  timed  automata,  we  define  an 
ordinary  I/O  automaton  time(A,U)  corresponding  to  a  given  timed  automaton  A  with  timing 
conditions  It.  This  new  automaton  has  the  timing  restrictions  imposed  by  It  on  A  built  into 
its  transition  rules,  based  on  predictions  about  when  the  next  event  from  each  set  of  actions 
will  occur.  In  this  section,  we  give  the  construction  of  time(A,U)  and  also  give  results  relating 
the  executions  and  behaviors  of  time(A,U )  to  the  timed  executions  and  timed  behaviors  of 

(AM). 

A  special  and  important  example  of  this  construction  is  when  U  is  the  set  of  conditions 
corresponding  to  a  boundmap  for  A,  i.e.,  Itf,.  In  this  case,  we  denote  the  automaton  by 
time(A,b).3  In  order  to  provide  a  concrete  example  of  the  construction  we  present  an  explicit 
description  of  time(A,b )  in  Section  3.2.  Other  special  cases  of  the  general  construction  will  be 
the  requirements  automata  for  the  two  examples  we  consider  in  Sections  4  and  6. 


3.X  The  General  Construction 

Given  any  I/O  automaton  A  and  set  It  of  timing  conditions  for  A,  we  define  the  ordinary  I/O 
automaton  time(A,U )  as  follows.  We  write  each  timing  condition  U  €  U  as 

(T,u«(U),T.uv(U))  t^)  (n (U),S(U))  . 

The  automaton  time(A,lt)  has  actions  of  the  form  (n,t),  where  7r  is  an  action  of  A  and  t  is  a 
nonnegative  real  number,  with  the  classification  of  actions  the  same  as  for  A.  Each  of  its  states 
consists  of  a  state,  As,  of  A  (the  “A-state”),  augmented  with  a  component  Ct  (the  “current 
time”),  and,  for  each  timing  condition  U  €  U ,  two  components  Ft(U)  and  L-{U)  (the  “first 
time”  and  “last  time”  for  each  timing  condition).  Ct  represents  the  time  of  the  last  preceding 
event.  The  Ft(U )  and  Lt(U )  components  represent,  respectively,  the  first  and  last  times  at 
which  the  timing  condition  U  specifies  that  an  action  in  II(t/)  should  occur. 

3This  automaton  was  denoted  time(A)  in  [AtL89]. 


We  use  record  notation  to  denote  the  various  components  of  the  state  of  time(A,U)\  for 
instance,  s.As  denotes  the  state  of  A  included  in  state  s  of  time(A,U).  Each  initial  rtate  of 
time(A,U )  consists  of  an  initial  state  s  of  A,  plus  Ct  =  0,  plus  values  of  Ft(U)  and  Lt(U) 
with  the  following  property:  if  s.As  £  T,taTt{U)  then  s.Ft(U )  =  b((U)  and  s.Lt(U)  =  bu(U ); 
otherwise,  s.Ft(U)  =  0  and  s.Lt(U)  =  oo.  That  is,  if  the  start  state  of  A  is  in  the  trigger  set 
of  U,  then  the  predicted  times  are  the  ones  specified  in  U\  otherwise,  they  are  set  to  default 
values. 

If  (x,t)  is  an  action  of  time(A,U),  then  (s'  ,(n,t),s)  is  a  step  of  time(A,U)  exactly  if  the 
following  conditions  hold. 

1.  (s'. .As,  x,s.As)  is  a  step  of  A. 

2.  s'.Ct  <  t  =  s.Ct. 

3.  For  all  U  €  U,  if  x  €  II(f/),  then 

(a)  s'.Ft(U)  <  t  <  s'.Lt(U). 

(b)  if  (s'.yls,x,s.yls)  £  T,tep(U )  then  s.Ft(U)  =  t  +  b((U)  and  s.Lt(U)  =  t  +  bu(U), 

(c)  if  (Y..As,7r,s.yl.s)  £  T,uv(U )  then  s.Ft(U)  =  0  and  s.Lt(U)  =  oo. 

4.  For  all  £f  €  W,  if  *  g  II(tf ),  then 

(a)  t  <  s'.Lt(U), 

(b)  if  (.s'.i4s,7r,s.v4s)  £  Tslev(U)  then  s.Ft(U)  =  t+be(U)  and  s.Lt(U)  =  min(s'.Lt(U),t+ 
bu(U ),  and 

(c)  if  (s'.v4s,7r,s.As)  £  T,ieP(U)  and  s.As  £  S(U)  then  s.Ft(U)  =  s'.Ft(U )  and 
s.Lt(U)  =  s'.Lt(U),  and 

(d)  if  s.  As  £  S(U )  then  s.Ft(U)  =  0  and  s.Lt(U)  =  oo. 

Note  that  if  s  is  a  reachable  state  of  time(A,b)  and  if  s.As  £  S(U)  then  s.Ft(U)  =  0  and 
s.Lt(U)  =  oo. 

Intuitively,  Condition  1.  says  that  the  automaton  time(A,U)  is  correctly  simulating  the 
state  transitions  of  A,  and  Condition  2.  says  that  Ct  components  are  monotonically  nonde¬ 
creasing,  i.e.,  the  new  time  is  at  least  as  great  as  the  previous  time.  Condition  3.  deals  with 
properties  involving  timing  conditions  U  that  include  it  in  their  action  sets:  Condition  3(a) 
says  that  the  time  at  which  the  event  n  occurs  must  be  between  the  bounds  specified  for  U ; 
Condition  3(b)  says  that  a  triggering  step  involving  7r  imposes  new  time  predictions  for  U , 
whereas  Condition  3(c)  says  that  a  non-triggering  step  involving  x  does  not  impose  any  such 
predictions.  Condition  4.  deals  with  properties  involving  timing  conditions  U  that  do  not  in¬ 
clude  x  in  their  action  sets:  Condition  4(a)  says  that  x  can  only  occur  if  U  does  not  require 
any  other  action  to  be  scheduled  first.  Condition  4(b)  says  that  a  triggering  step  involving  x 
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imposes  new  time  predictions  for  U .  Note  that  in  this  case,  there  may  already  be  old  predic¬ 
tions  in  effect  for  this  time  condition;  the  effect  of  taking  the  min  for  the  Lt(U)  component 
is  to  require  both  the  new  predictions  and  any  old  predictions  to  be  satisfied.4  Condition 
4(c)  says  that  a  non-triggering  (and  non-disabling)  step  involving  n  does  not  impose  any  new 
time  predictions  for  U.  Condition  4(d)  says  that  a  disabling  step  involving  -k  sets  the  time 
predictions  for  U  back  to  their  defaults. 

The  partition  classes  for  time(A,li)  are  derived  one-for-one  from  those  of  A.5 

We  now  relate  the  timed  executions  of  ( A,U )  to  the  executions  of  the  corresponding  I/O 
automaton  time(A,U).  In  order  to  do  so  we  introduce  a  technical  definition  and  some  lemmas. 
Notice  that  the  definition  of  a  timed  execution  contains  aspects  of  both  safety  and  liveness. 
Sometimes  it  it  useful  to  focus  on  the  safety  aspects  alone.  The  next  definition  restrict  attention 
to  the  safety  portions  of  Definition  2.2. 

Definition  3.1  Let  a  be  the  finite  timed  sequence  so,  (jti,<i),3i,  ...,seni.  Thena  semi-satisfies 
a  timing  condition  (Ttiart,T,Up)  £  (11,5)  if  the  following  conditions  hold: 

1.  Suppose  bu  <  oo. 

(a)  If  so  £  T.tart  then  either  ten<i(a)  <  bu  or  there  exists  j  >  0  with  tj  <  bu  such  that 
either  rj  £  U  or  Sj  €  5. 

(b)  If  (s,_i,7r,-,s,)  £  T,tep  then  either  tent(a)  <  ti  +  bu  or  there  exists  j  >  i  with 
tj  <  U  +  bu  such  that  either  itj  £  II  or  sj  £  S. 

2.  (a)  If  so  £  Tttart  and  if  there  exists  j  >  0  with  tj  <  be  such  that  irj  £  II,  then  there 

exists  k,0  <  k  <  j,  such  that  Sk  €  5. 

(b)  If  (s,'_i ,  7T,',  st)  £  T,teP  and  if  there  exists  j  >  i  with  tj  <  ti  -f  b(  such  that  i Vj  £  II, 
then  there  exists  k,i  <  k  <  j,  such  that  Sk  6  5. 

The  only  differences  between  this  definition  and  Definition  2.2  are  the  “either”  clauses.  These 
clauses  allow  an  action  to  fall  to  occur  if  insufficient  time  has  passed.  Now  suppose  U  is  a  set 
of  timing  conditions  for  an  I/O  automaton  A.  A  timed  sequence  a  is  a  timed  semi-execution 
of  ( A,U )  if  ord(a)  is  an  execution  of  A  and  for  any  timing  condition  U  £  li,  a  semi-satisfies 
U. 

An  observation  we  use  later  is  the  following,  saying  that  the  limit  of  a  sequence  of  timed 
semi-executions  in  which  the  time  components  are  unbounded  must  be  a  timed  execution. 

4The  min  is  necessary  because  in  case  there  is  a  prior  prediction,  it  will  surely  be  no  greater  than  the  new 
prediction,  so  the  min  will  be  the  first  term  s'.Lt(U).  However,  if  there  is  no  prior  prediction  then  s'.Lt(U)  =  oo 
so  the  min  will  be  the  second  term  t+6u(t/).  We  could  have  similarly  written  s.Ft{U)  =  max(s' .Ft(U),  t+bt(U )), 
but  that  is  unnecessary  because  it  is  always  the  case  that  s'.Ft(U)  <  bi(U). 

5It  seems  that  we  never  need  them,  however,  since  the  partition  classes  are  used  to  enforce  fairness  to  the 
components  of  the  system;  in  U)  the  timing  conditions  guarantee  that  each  component  gets  a  fair  chance 

to  operate. 
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Lemma  3.1  Let  {a,}?^  a  sequence  of  timed  semi-executions  of  (A,U)  such  that 


1.  for  any  i  >  1,  a,-  is  a  prefix  of  a,+i,  and 

2.  limf-.oo 

^cn  d(ati)  =  oo. 

Then  there  exists  a  unique  infinite  timed  execution  a  of  (A, Li)  such  that  for  any  i  >  1,  a,  is 
a  prefix  of  a. 

Proof:  Straightforward.  ■ 


If  a  is  an  execution  of  time(A,U),  we  define  project  (a)  to  be  the  timed  sequence  obtained 
from  a  by  mapping  each  occurrence  of  a  state  s  in  a  to  s.^4s  (while  keeping  the  (action, time) 
pairs  intact).  We  first  show  the  following  simple  correspondence  between  semi-executions  of 
( A,li )  and  finite  executions  of  time(A,li). 

Lemma  3.2  1.  If  a'  is  a  timed  semi-execution  of  (A, Li),  then  there  exists  an  execution  a 

of  time(A,U)  such  that  a'  =  project(a). 

2.  If  a  is  a  finite  execution  of  time(A,li),  then  project(a)  is  a  timed  semi-execution  of 
(A, II). 


Proof:  1.  Suppose  that  a'  is  a  given  timed  semi-execution  of  (A, Li).  Then  there  is  a 

unique  timed  sequence  a  whose  states  are  states  of  time(A,li),  that  has  a'  =  project(a), 
whose  initial  state  is  the  unique  start  state  of  time(A,Ll),  and  each  of  whose  steps  satisfies 
Conditions  1,  3(b),  3(c),  4(b),  4(c)  and  4(d)  of  the  definition  of  time(A,U),  plus  the 
equality  part  of  Condition  2.  of  the  definition  of  time(A,Li).  The  fact  that  a'  is  a  timed 
sequence  in  which,  by  definition,  the  time  components  are  non-decreasing,  implies  the 
inequality  part  of  2.  Condition  2.  of  Definition  3.1  ensures  the  lower  bound  part  of  3(a) 
of  the  definition  of  time(A,Li),  while  Condition  3.  of  Definition  3.1  ensures  the  upper 
bound  part  of  3(a)  and  also  4(a)  of  the  definition  of  time(A,U). 

2.  By  Condition  1.  of  the  definition  of  time(A,Li),  ord(project(a)  is  an  execution  of  the 
ordinary  I/O  automaton  A.  It  remains  to  show  that  for  every  timing  condition  U  € 
Li,  project(a)  semi-satisfies  U.  The  initialization  and  Conditions  3(a)  and  4(a)  of  the 
definition  of  time(A,Li)  ensure  property  1(a)  of  Definition  3.1.  Conditions  3(b),  4(b), 
3(a)  and  4(a)  of  the  definition  of  time(A,li)  ensure  property  1(b)  of  Definition  3.1.  The 
initialization  and  Condition  3(a)  of  the  definition  of  time(A,Li)  ensure  property  2(a) 
of  Definition  3.1,  while  Conditions  3(b),  4(b),  3(a)  and  4(a)  ensure  property  2(b)  of 
Definition  3.1. 
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We  can  use  these  lemmas  to  prove  the  following  result  for  infinite  sequences: 


Lemma  3.3  1.  If  a'  is  an  infinite  timed  execution  of  (A, Li),  then  there  exists  an  infinite 

execution  a  of  time(A,Li )  in  which  the  time  components  of  the  actions  are  unbounded, 
such  that  a'  =  project(a). 

2.  If  a  is  an  infinite  execution  of  time{A,U)  in  which  the  time  components  of  the  actions 
are  unbounded,  then  project(a)  is  a  timed  execution  of  (A, Li). 

Proof:  1.  By  the  same  reasoning  as  for  part  1.  of  Lemma  3.2;  the  time  components  are 

unbounded  since  a'  is  an  infinite  timed  sequence. 

2.  Let  a  =  so,  (iri,ti),8i,. . .  and  let  a,  =  So,(7Ti,ti),. . .  ,Si,  for  all  i  >  0.  Since  a,  is  a  finite 
execution  of  time(A,li),  a\  =  project{on)  is  a  timed  semi-execution  of  ( A, Li ),  by  part  (2) 
of  Lemma  3.2.  Since  the  time  components  of  the  actions  in  a  are  unbounded,  it  follows 
that  limj-Kx,  ttnd{ot'i)  =  oo.  Lemma  3.1  implies  that  project(a)  is  a  timed  execution  of 
(A, Li). 


3.2  Special  Case:  The  Automaton  time(A,b) 

A  very  important  special  case  of  the  construction  described  in  the  previous  subsection  is  the 
case  of  time(A,Lib)\  this  automaton  is  the  result  of  incorporating  the  boundmap  timing  condi¬ 
tions  of  a  timed  automaton  (A,  6)  into  the  automaton  transitions.  As  shorthand,  we  will  some¬ 
times  refer  to  this  automaton  as  time(A,  b)  instead  of  time(A,Lib),  suppressing  explicit  mention 
of  the  timing  conditions  lib •  We  will  also  sometimes  write  Ft(C)  instead  of  Ft(cond(C))  for 
partition  class  C,  and  similarly  for  the  other  state  components. 

Because  the  conditions  imposed  by  a  boundmap  are  fundamental  and  common  instances  of 
timing  conditions,  and  in  order  to  provide  an  example  to  illustrate  the  time(A,Li)  definition, 
we  now  give  an  explicit  definition  of  time(A,b),  by  instantiating  the  general  definition. 

Each  of  the  states  of  time(A,b)  consists  of  As,  a  state  of  A,  plus  Ct ,  plus,  for  each  class 
C  of  the  partition,  two  times,  Ft(C)  and  Lt(C).  Each  initial  state  of  time(A)  consists  of  an 
initial  state  s  of  A,  plus  Ct  =  0,  plus  values  of  Ft(C)  and  Lt(C )  with  the  following  property: 
if  there  is  an  action  in  C  enabled  in  s,  then  s.Ft(C)  =  £y(C)  and  s.Lt(C)  =  bu(C).  Otherwise, 
s.Ft(C)  —  0  and  s.Lt(C)  —  oo. 

If  (rr,  t)  is  an  action  of  time(A),  then  (s',  (r,  t),  s )  is  a  step  of  time(A)  exactly  if  the  following 
conditions  hold. 

1.  (s'. As,  7r,  s. As)  is  a  step  of  A. 

2.  s'.Ct  <  t  =  s.Ct. 
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3.  If  t r  6  C,  then 

(a)  s'.Ft{C)  <  t  <  s'.Lt(C). 

(b)  if  s.AS  €  enabled(A,C),  then  s.Ft(C )  =  f  +  6*(C)  and  s.Lt(C)  =  t  +  6U(C),  and 

(c)  if  s.AS  €  disabled(A,C),  then  s.Ft(C )  =  0  and  s.Lt(C )  =  co. 

4.  For  ail  classes  D  such  that  tt  is  not  in  class  D , 

(a)  t  <  s'.Lt(D), 

(b)  if  s.As  €  enabled(A,  D)  and  s'.  As  £  disabled(A,  D)  then  s.Ft(D)  =  t  +  b((D)  and 
s.Lt(D)  =  t  +  bu(D), 

(c)  if  s.As  €  enabled(A,D )  and  s'. As  €  enabled(A,  D)  then  s.Ft(D)  =  s'.Ft(D)  and 
s.Lt(D)  =  s'.Ll(D),  and 

(d)  if  s.As  €  disabled(A,  D)  then  s.Ft(D)  =  0  and  s.Lt(D)  =  oo. 

In  this  special  case,  it  is  easy  to  check  that  for  any  class  C  of  the  partition,  any  reachable 
state  s  in  which  the  Lt(C)  and  Ft(C)  components  have  non-default  values  must  have  s.As  6 
enabled(A,C).  This  definition  is  obtained  from  the  general  one  by  direct  application  of  the 
definitions;  the  only  condition  that  may  appear  to  be  slightly  different  is  4(b),  where  the  general 
definition  uses  a  min  expression  for  the  new  value  of  Lt(U).  However,  in  the  special  case,  any 
reachable  state  s'  in  which  case  4(b)  applies  must  have  s'. As  6  disabled(A,  D)\  therefore,  the 
remark  above  implies  that  the  first  term  in  the  min  expression  always  has  the  value  oo,  and  so 
the  min  expression  can  be  simplified  as  given. 

In  each  of  our  examples  in  this  paper,  we  will  apply  the  time(A,b)  construction  to  a  timed 
automaton  A  modeling  the  entire  system. 

3.3  Sufficient  Condition 

We  want  to  have  a  sufficient  condition  for  satisfying  a  set  of  timing  conditions.  We  define  a 
new  kind  of  mapping,  a  strong  possibilities  mapping.  Such  a  mapping  is  only  defined  from 
automata  of  the  form  time{A,U)  to  time(A,  V),  where  U  and  V  are  sets  of  timing  conditions 
for  A. 

Definition  3.2  Let  A  be  a  timed  automaton  and  let  U  and  V  be  sets  of  timing  conditions  for 
A.  Let  f  be  a  mapping  from  states  of  time(A,U)  to  sets  of  states  of  time(A,  V).  The  mapping 
f  is  a  strong  possibilities  mapping  from  time(A,U)  to  time(A,V)  provided  that  the  following 
conditions  hold: 

1.  For  every  start  state  s0  of  A,  there  is  a  start  state  u0  of  B  such  that  u0  €  f{so)- 

2.  If  s'  is  a  reachable  state  of  A,  u'  £  f(s')  is  a  reachable  state  of  B,  and  (s',x,s)  is  a  step 
of  A,  then  there  is  a  step  (u',v,u)  of  B  such  that  u  6  f{s). 
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3.  If  u  6  /(s),  then  u.As  =  s.As;  that  is,  the  mapping  is  constrained  to  be  the  identity  on 
A ’s  state  components. 

Theorem  3.4  Suppose  that  there  is  a  strong  possibilities  mapping  from  time(A,lt)  to  time(A,  V) 
Then  any  infinite  timed  execution  of{A,U)  is  a  timed  execution  of  (A,  V). 

Proof:  Let  a  be  an  infinite  timed  execution  of  (A, U).  Then  Lemma  3.3  part  1  implies  that 
a  =  project(a')  for  some  infinite  execution  a'  of  time{A,U).  Since  there  is  a  strong  possibilities 
mapping  from  time{A,U)  to  time(A,  V),  there  is  an  execution  a"  of  time(A,  V)  such  that  a'  and 
a"  are  identical  except  for  the  time  prediction  state  components.  Therefore,  a  =  project(a”). 
Since  a "  is  infinite  and  has  its  time  components  unbounded  (because  the  same  is  true  of  a'), 
Lemma  3.3  part  2  implies  that  a  is  a  timed  execution  of  (A,  V).  ■ 

Thus  a  mapping  proof  yields,  in  this  case,  all  the  timing  properties  we  require,  including 
both  safety  and  liveness  properties.  The  mapping  immediately  yields  the  safety  properties. 
(Recall  that  the  safety  properties  are  the  lower  bounds,  as  well  as  the  upper  bounds  that 
assert  that  time  cannot  elapse  without  a  certain  event  having  occurred.)  But  when  these 
safety  properties  are  combined  with  the  property  that  a  timed  execution  is  infinite  and  our 
assumption  that  the  time  in  infinite  timed  executions  is  unbounded  (so  that  time  increases 
without  bound),  they  also  imply  that  the  events  in  question  must  eventually  occur. 

4  First  Example:  Resource  Manager 

Now  we  present  our  first  example,  a  simple  resource-granting  system  adapted  from  an  algorithm 
in  [AtL89].  The  system  consists  of  two  components,  a  clock  and  a  manager.  The  clock  ticks 
at  an  approximately-predictable  rate,  and  the  manager  counts  ticks  in  order  to  decide  when 
to  grant  a  resource.  We  wish  to  analyze  the  time  until  the  first  grant,  and  the  time  between 
each  successive  pair  of  grants. 

We  describe  the  algorithm  and  its  timing  assumptions  as  a  timed  automaton  (A,  b).  The 
required  timing  behavior  is  presented  as  a  set  of  timing  conditions  U\  we  prove  that  the 
algorithm  satisfies  the  requirements  by  demonstrating  a  strong  possibilities  mapping  from 
time(A,b )  to  time(A,H). 

4.1  The  Algorithm 

The  algorithm  consists  of  two  components,  a  clock  and  a  manager.  The  clock  has  only  one 
action,  the  output  TICK,  which  is  always  enabled,  and  has  no  effect  on  the  clock’s  state.  It 
can  be  described  as  the  particular  one-state  automaton  with  the  following  steps.6 

®In  the  notation  we  use  for  automata,  a  separate  description  is  given  for  the  steps  involving  each  action. 
Instead  of  listing  the  steps,  we  provide  a  “precondition”  which  describes  the  set  of  states  in  which  the  action 
is  enabled,  and  an  “effect”  which  describes  the  changes  caused  by  the  action.  Input  actions  do  not  have  a 
precondition,  because  they  are  always  enabled. 
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TICK 

Precondition: 

true 

Effect: 

none 

The  boundmap  associates  the  interval  [01,02],  where  0  <  cx  <  cj  <  oo,  with  the  single 
class,  { TICK },  of  the  partition.  For  convenience,  we  overload  the  notation  and  designate  this 
singleton  class  as  TICK  also.  This  means  that  successive  TICK  events  occur  with  intervening 
times  in  the  given  interval. 

The  manager  has  one  input  action,  TICK,  one  output  action,  GRANT  and  one  internal 
action,  ELSE.  The  manager  waits  a  particular  number  k  >  0  of  clock  ticks  before  issuing  each 
GRANT,  counting  from  the  beginning  or  from  the  last  preceding  GRANT.  The  manager’s 
state  has  one  component:  TIMER,  holding  an  integer,  initially  k. 

The  manager’s  algorithm  is  as  follows: 

TICK 

Effect: 

TIMER  :=  TIMER  -1 

GRANT 

Precondition: 

TIMER  <  0 

Effect: 

TIMER  :=  k 

ELSE 

Precondition: 

TIMER  >  0 

Effect: 

none 

Notice  that  ELSE  is  enabled  exactly  when  GRANT  is  not  enabled.  The  effect  of  including 
the  ELSE  action  is  to  ensure  that  the  automaton  continues  taking  steps  at  its  “own  pace”,  at 
approximately  regular  intervals. 

Thus,  in  the  situation  we  are  modeling,  when  the  GRANT  action’s  precondition  becomes 
satisfied,  the  action  does  not  occur  instantly  -  the  action  waits  until  the  automaton’s  next 
local  step  occurs.7 

TAn  alternative  situation  is  one  in  which  the  manager  is  interrupt-driven,  that  is,  whenever  the  precondition 
of  a  GRANT  becomes  true,  the  GRANT  occurs  shortly  thereafter.  This  situation  could  be  modeled  by 
omitting  the  ELSE  action.  The  two  automata  have  slightly  different  timing  properties.  In  this  paper,  we  only 
consider  the  first  assumption. 


The  partition  groups  the  GRANT  and  ELSE  actions  into  a  single  equivalence  class  LOCAL , 
with  which  the  boundmap  associates  the  interval  [0,1],  where  0  <  l  <  oo.  We  assume  that 
Ci  >  l.&  Fix  A  to  be  the  I/O  automaton  which  is  the  composition  of  the  clock  and  manager, 
with  the  TICK  output  action  converted  to  an  internal  action;  thus,  the  only  external  action 
of  A  is  the  output  action  GRANT.  Also,  let  b  be  the  boundmap  described  above.  We  wish  to 
show  that  all  the  timed  behaviors  of  (A,  ft)  satisfy  certain  upper  and  lower  bounds  on  the  time 
up  to  the  first  GRANT  and  the  time  between  consecutive  pairs  of  GRANT  events. 

Note  that  our  resource  manager  is  much  simpler  than  the  usual  examples;  in  particular, 
there  is  no  REQUEST  input  action  that  triggers  the  GRANT  output.  We  do  not  think  that 
such  added  structure  would  add  much  to  the  conceptual  difficulty  of  the  example  or  expose  any 
interesting  property  of  the  methodology  we  suggest  here;  however,  it  would  make  the  analysis 
somewhat  longer. 

We  begin  our  analysis  by  stating  some  invariant  properties  of  the  algorithm.  In  order  to 
do  this,  we  need  timing  information  to  be  included  in  the  state,  so  we  consider  the  automaton 
time(A,b),  constructed  as  described  in  Section  3.2.  Notice  that  in  this  case,  the  automaton 
time(A,b )  has  the  following  components,  As,  Ct,  Ft(TICK),  Lt(TICK),  Ft(LOCAL),  and 
Ft(LOCAL). 

The  next  lemma  states  invariant  properties  of  the  automaton  time{A,b).  Notice  that  the 
second  property  involves  the  time  components  of  the  state.  The  proof  of  this  lemma  is  fairly 
technical  and  appears  in  full  detail  in  Appendix  A. 

Lemma  4.1  The  following  are  true  about  any  reachable  state  s  of  time{A,b). 

1.  s.TIMER  >  0. 

2.  If  s.TIMER  =  0  then  s.Ft(TICK)  >  s.Lt(LOCAL)  +  a  -l. 

We  close  this  subsection  with  a  proof  of  a  basic  property  of  time(A,  b)  (for  this  fixed  (A,  b)). 
Lemma  4.2  All  timed  executions  of  (A, 6)  are  infinite. 

4.2  The  Requirements  Automaton 

We  wish  to  show  the  following,  for  any  timed  behavior  0  of  (A,  6): 

1.  There  are  infinitely  many  GRANT  events  in  0. 

2.  If  t  is  the  time  of  the  first  GRANT  event  in  0,  then  k  ■  c\  <  t  <  k  ■  c?  +  l. 

8  Again,  a  different  assumption  would  change  the  liming  analysis. 
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3.  If  t\  and  t2  are  the  times  of  any  two  consecutive  GRANT  events  in  /?,  then 


k'C\—l  <  *2  -  h  <  k  •  c2  +  l. 


We  let  P  denote  the  set  of  sequences  of  (action, time)  pairs  satisfying  the  above  three  condi¬ 
tions. 

We  will  specify  P  in  terms  of  another  I/O  automaton,  called  the  requirements  automaton. 
We  define  two  timing  conditions,  G\  for  the  time  until  the  initial  GRANT  event  and  G2  for 
the  time  between  successive  GRANT  events.  The  requirements  automaton  B  is  defined  to  be 

time(A,{Gi,G2}). 

We  now  define  the  conditions.  The  first  condition,  Gi,  is  ( T(<arf(Gi),6 I)  (IT(Gi),0), 

where 

•  T,urt(Gi)  is  the  (singleton)  set  of  start  states  of  A, 

•  b/(Gi )  =  k  ■  ci  and  bu(G i)  =  k  •  c2  +  /,  and 

•  n((?i)  =  {GRANT}. 

The  second  condition,  G 2,  is  (0,  Tgtep(G2))6(£3)(n(G2),0),  where 

•  T,tep(G2)  =  {(s',n,s)  G  steps(A)  :  it  =  GRANT), 

•  b((G2)  =  k  ■  ci  -  l  and  bu(G2)  =  k  •  c2  +  /,  and 

•  n(G2)  =  {GRANT}. 

Note  that  the  behaviors  of  B  and  the  sequences  in  P  both  consist  of  elements  that  are  pairs, 
an  action  of  A  together  with  a  time.  Furthermore,  if  a  is  a  timed  execution  of  (A,  {Gi,G2}) 
then  beh(a)  is  in  P. 

By  Lemma  4.2  all  the  timed  executions  of  (A,  6)  are  infinite.  Thus,  by  Theorem  3.4,  all  we 
need  to  do  is  to  show  a  strong  possibilities  mapping  from  time(A,b )  to  ttme(A,{Gi,G2})  =  B. 
The  complete  formal  proof  appears  in  the  next  section. 

4.3  The  Mapping 

In  this  section,  we  present  a  strong  possibilities  mapping  from  time(A,6)  to  B,  thereby  showing 
that  all  schedules  of  time(A,b )  are  also  schedules  of  B.  This  fact  is  then  used  to  prove 
Theorem  4.4,  which  says  that  all  timed  behaviors  of  (A, 6)  are  in  P. 

We  define  a  mapping  /  so  that  a  state  u  of  B  is  in  the  image  set  f(s )  exactly  if  the  following 
conditions  hold. 


1.  If  s.TIMER  >  0  then 


(a)  min{u.Lt{Gx),u.Lt{G2))  >  s.Lt(TICK)  +  ( s.TIMER  -  l)c2  +  /,  and 

(b)  maa;(u.fX<3i),tt.Ff(G2))  <  s.Ft(TICK)  +  ( s.TIMER  -  l)Cl. 

2.  If  s.TIMER  =  0  then 

(a)  min{u.Lt{G\),u.Lt(G2 ))  >  s.Lt(LOCAL),  and 

(b)  max(u.Ft{G\),u.Ft{G-i))  <  s.Ct. 

The  inequalities  should  be  interpreted  as  giving  explicit  upper  and  lower  bounds  for  the 
time  of  the  next  GRANT  event,  in  terms  of  the  values  of  the  variables  in  the  state  of  tim<  (.1,6). 
Intuitively,  the  right-hand  side  of  the  inequality  describes  how  the  bounds  will  be  satisiied;  for 
example,  in  the  case  of  inequality  1(a),  a  TICK  event  must  happen  within  time  Lt(TICK), 
and  then  after  TIMER  —  1  additional  ticks,  each  happening  after  at  most  c2  time,  TIMER  will 
become  0,  thus  enabling  the  GRANT,  which  will  happen  within  a.t  most  time  l. 

If  we  think  of  the  value  of  min(Lt(Gi),Lt(G2))  as  indicating  an  upper  bound  on  the  time 
when  a  GRANT  will  next  occur,  then  it  should  not  be  surprising  that  any  sufficiently  large 
number  (with  respect  to  the  values  of  the  variables  in  the  state  of  time  (A))  could  be  used 
as  the  value  of  this  minimum.  This  just  indicates  that  any  such  value  could  be  proved  to 
be  an  upper  bound.  Similarly,  any  sufficiently  small  number  could  be  used  as  the  value  for 
max{Ft(G\), Ft(G2)),  a  lower  bound  on  the  time  when  a  GRANT  event  will  next  occur. 

Thus,  the  inequalities  comprising  the  strong  possibilities  mapping  express  the  fact  that  any 
sufficiently  large  number  (with  respect  to  the  values  of  the  variables  in  the  state  of  time(A,  6)) 
should  be  provable  as  an  upper  bound  for  the  time  for  the  next  GRANT,  and  any  sufficiently 
small  number  should  be  provable  as  a  lower  bound.9 

The  given  mapping  is  obviously  multivalued,  because  it  is  described  in  terms  of  inequalities. 
It  seems  possible  to  use  a  single- valued  mapping  for  this  example  by  complicating  the  definition 
of  the  requirements  automaton;  however,  since  the  requirements  automaton  is  serving  as  the 
problem  specification,  that  does  not  seem  like  a  good  idea.  More  discussion  of  the  issue  of 
multivalued  vs.  single- valued  mappings  appears  in  [Ly89]. 

Although  (we  think  that)  the  correspondence  between  time(A,b )  and  B  described  by  /  is 
easy  to  understand,  verifying  formally  that  /  is  indeed  a  strong  possibilities  mapping  is  a  fairly 
long  and  mechanical  process.  The  complete  proof  appears  in  Appendix  A. 

Lemma  4.3  The  mapping  f  is  a  strong  possibilities  mapping. 

9 Note  that  if  we  simply  replaced  the  inequalities  with  equations,  the  resulting  mapping  would  not  be  a 
strong  possibilities  mapping.  For  example,  suppose  that  a  clock  tick  occurs  within  less  than  the  maximum  c2. 
Then  the  right-hand  side  expression  in  1(a)  would  evaluate  after  the  step  to  an  earlier  lime  than  before  the 
step.  On  the  other  hand,  the  corresponding  step  in  the  requirements  automaton  would  not  change  the  value  of 
LUme(GRANT)-,  the  correspondence  thus  would  not  be  preserved. 
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Now  we  can  put  the  pieces  together. 

Theorem  4.4  All  timed  behaviors  o/(A,6)  are  in  P. 

Proof:  Let  f3  be  a  timed  behavior  of  (A, 6).  Let  a  be  a  timed  execution  of  (A, b)  such  that 
(3  =  beh(a).  By  Lemma  4.2,  a  is  infinite.  By  Lemma  4.3,  there  exists  a  strong  possibilities 
mapping  from  time(A,b)  to  time(A,  {Gi,G2}).  Thus,  by  Theorem  3.4,  a  is  a  timed  execution 
of  (A,  {Gi,G2}).  This  implies  that  fi  £  P.  ■ 


5  Dummification 

When  all  the  timed  executions  of  a  timed  automaton  are  infinite  as  in  the  previous  example, 
then  Theorem  3.4  suffices  to  prove  all  the  timing  conditions,  including  the  liveness  parts. 
Unfortunately,  there  are  many  examples  where  the  timed  automaton  has  timed  executions 
that  are  finite.  Since  it  is  much  more  straightforward  to  use  our  proof  method  when  all 
complete  executions  are  infinite,  we  augment  such  timed  automata  to  have  only  infinite  timed 
executions.  For  a  timed  automaton  (A,  6)  we  define  a  variant  (A,  6),  which  augments  A  with 
a  “dummy”  component  that  always  has  locally-controlled  actions  enabled.  All  of  the  timed 
executions  of  (A,  b)  will  be  infinite,  and  the  executions  of  ( A,b )  and  (A,  6)  are  very  closely 
related  (see  Lemma  5.3  below).  Thus,  we  will  be  able  to  reason  about  (A, b)  and  obtain 
consequences  for  the  original  timed  automaton  ( A,b ). 

For  any  timed  automaton  (A,  6),  define  (A,  6),  the  dummification  of  (A,  b),  as  follows.  We 
augment  the  automaton  A  with  a  single  new  component  called  the  dummy.  Assume,  w.l.o.g., 
that  NULL  £  actions(A).  The  dummy  has  a  single  action,  an  output  NULL  (which  is  not 
shared  by  any  of  the  other  components).  It  has  only  one  state,  in  which  NULL  is  enabled.  The 
boundmap  associates  any  interval  [ni,n2]  such  that  0  <  ni  <  n2  <  oo  with  the  new  singleton 
partition  class,  NULL.  Let  A  be  the  automaton  composed  of  A  and  the  dummy.  Also,  let  b  be 
the  boundmap  that  is  identical  to  6  except  for  the  addition  of  the  new  interval  [nx ,  n2]  for  the 
new  partition  class,  NULL. 

Lemma  5.1  Let  (A,  6)  be  a  timed  automaton,  and  let  (A,  b)  be  the  dummification  of  (A, 6). 
Then  all  timed  executions  o/(A,6)  are  infinite. 

If  3  is  a  timed  sequence  for  A,  define  undum(a)  to  be  the  result  of  removing  the  following 
from  5:  the  dummystate  component  and  the  NULL  steps.  We  have  the  following  lemma. 

Lemma  5.2  let  ( A,b )  be  a  timed  automaton. 

1.  If  a  is  a  timed  execution  of(A,b)  then  undum(a)  is  a  timed  execution  of(A,b). 
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2.  Let  a  be  a  timed  execution  of  ( A,b ).  Then  there  exists  a  timed  execution  a  of  (A,b)  oico 
that  a  =  undum(a). 

Suppose  that  U  =  ( T,tart,T,iep,b,Tl,S )  is  a  timing  condition  for  an  I/O  automaton  I 
Then  we  define  a  corresponding  timing  condition  U  =  (T,taTt,Tatep,b,  ft,  5)  for  A,  as  follow* 
T,tart  =  T,UTt  X  {dummystate} ,  Tttepa  =  {(( s' ,  dummy  state),  it,  {s,  dummy  state ))  j  (s',~.s)  t 
Tstcpt),  b  =  b,  n  =  II,  and  S  =  S  X  {dummystate}.  If  14  is  a  set  of  timing  conditions  for  .1 
then  define  14  =  {U  |  U  €  14}. 

Lemma  5.3  Let  14  be  a  set  of  timing  conditions  for  A  and  let  14  be  the  set  of  timing  conditions 
for  A  defined  above. 

1.  If  a  is  a  timed  execution  of  (A,U)  then  undum(a)  is  a  timed  execution  of  ( A,U ). 

2.  If  a  is  a  timed  execution  of  {A, 14)  then  any  timed  sequence  a  such  that  a  =  undum(a) 
and  ord(a)  is  an  execution  of  A  is  a  timed  execution  of  (A,  14). 

Theorem  5.4  Let  ( A,b )  be  a  timed  automaton,  and  let  ( A,b )  be  the  dummification  of  ( A,b ). 
Let  14  be  a  set  of  timing  conditions  for  A.  Assume  that  there  is  a  strong  possibilities  mapping 
from  time(A,b)  to  time(A,l4).  Then  every  timed  execution  of  (A,b)  satisfies  14. 

Proof:  Let  a  be  a  timed  execution  of  (^4,6).  By  Lemma  5.2,  there  is  a  timed  execution 
a  of  ( A,b )  such  that  a  =  undum(a).  By  Lemma  5.1,  a  is  infinite.  Since  there  is  a  strong 
possibilities  mapping  from  time(A,b)  to  time{A,U),  Theorem  3.4  implies  that  a  is  a  timed 
execution  of  ( A, 14 ).  Thus,  by  Lemma  5.3  part  1,  a  is  a  timed  execution  of  {A, 14),  as  needed. 


6  Second  Example:  Signal  Relay 

Now  we  present  our  second  example,  a  simple  signal  relay.  The  system  is  a  composition  of  a 
collection  of  n  +  1  processes,  Po,...,Pn,  organized  as  a  line.  Pq  generates  SIGNAL0  (once), 
and  the  intermediate  processes  relay  it,  so  that  Pn  eventually  generates  SIGNALn.  We  wish 
to  analyze  the  total  delay  a  signal  incurs,  as  a  function  of  its  delay  at  each  of  the  relaying 
processes. 

Again,  we  describe  the  algorithm  and  its  timing  assumptions  as  a  timed  automaton  ( A,b ), 
and  the  required  timing  behavior  as  a  set  of  timing  conditions  14.  This  time,  however,  we  do 
not  simply  present  a  direct  mapping  from  time(A,b)  to  time(A,l4)  (although  >  could  have). 
Rather,  we  use  a  sequence  of  intermediate  automata,  exhibiting  strong  po-  u  t  ties  mappings 
between  each  consecutive  pair  of  automata  in  the  sequence.  The  style  of  the  reasoning  involved 
corresponds  closely  to  that  of  a  proof  based  on  recurrence  inequalities.  (In  fact,  this  example 
was  inspired  by  the  recurrence-inequality  proof  sketch  in  [LG89]  for  the  tournament  mutual 
exclusion  algorithm  of  [PF77]). 
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6.1  The  Algorithm 


The  algorithm  consists  of  n  +  1  automata,  Po,...,P„ ,  where  n  >  1.  Po  has  one  action,  the 
output  SIGNALo.  The  state  of  Po  consists  of  one  component,  FLAG,  a  Boolean  value,  initially 
true. 

Po’s  algorithm  is  as  follows: 

SIGNALo 

Precondition: 

FLAG  =  true 

Effect: 

FLAG  :=  false 


The  boundmap  associates  the  interval  [0, oo]  with  the  single  class,  { SIGNALo },  of  the 
partition.  As  before,  we  also  designate  this  class  as  SIGNALo ;  we  use  similar  notational 
conventions  for  the  remaining  singleton  classes  in  the  paper. 

Each  automaton  P,,  1  <  t  <  n,  has  an  input  action  SIGNALi- \  and  an  output  action 
SIGNALi.  Each  automaton  state  contains  the  single  component  FLAG,  holding  a  Boolean 
value,  initially  false. 

The  algorithm  for  P,  is: 

SIGNAL^  i 

Effect: 

FLAG  :=  true 

SIGNALi 

Precondition: 

FLAG  =  true 

Effect: 

FLAG  :=  false 

The  boundmap  associates  the  interval  [dj,d2],  where  0  <  d\  <  d2  <  oo,  with  the  single 
class,  SIGNAL i,  of  the  partition  for  P,. 

Now  we  fix  A  to  be  the  timed  automaton  which  is  the  composition  of  all  the  P,’s,  with  all 
actions  except  SIGNALo  and  SIGNALn  made  internal,  and  b  to  be  the  boundmap  described 
above.  We  will  prove  that  if  a  SIGNALo  occurs,  then  the  difference  between  the  time  it  occurs 
and  the  time  at  which  a  later  SIGNALn  occurs  is  at  least  n  •  d\  and  at  most  n  •  cf2. 

Note  that  all  the  timed  executions  of  (A,b)  are  finite,  thus  we  will  apply  dummification  (as 
described  in  the  previous  section)  to  make  all  the  timed  executions  be  infinite. 

We  first  state  the  following  simple  invariant  about  A.  The  proof  is  by  a  simple  induction. 
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Lemma  6.1  In  any  reachable  state  s  of  A,  if  SIGNALi  is  enabled  in  s,  then  for  all  j  i, 
0  <  j  <  n,  SIGNALj  is  not  enabled  in  s. 


6.2  The  Requirements  Automaton 

We  wish  to  show  the  following,  for  any  timed  behavior  (3  of  (A,  6): 


1.  If  SIGNALo  event  occurs  in  (3,  then  a  single  later  SIGNALn  event  occurs  in  (3. 

2.  If  ti  is  the  time  of  a  SIGNALo  event  and  <2  is  the  time  of  the  corresponding  SIGNALn 
event  then: 


n  •  di  <  <2  -h  <  n  •  d^. 


We  let  Q  denote  the  set  of  sequences  of  (action,  time)  pairs  satisfying  the  above  two  conditions. 

We  will  specify  Q  in  terms  of  a  requirements  automaton.  Towards  this  end,  we  define  the 
following  timing  condition,  Uo,n  =  (0,To,n)  (IIo,n>  0)>  where 

•  ?b,n  =  €  steps(A)  :  ir  =  SIGNALo}, 

•  &o,n  =  [n  ■  d\,n  •  di\  and 

•  n0,„  =  {SIGNAL,,}. 

Notice  that  if  a  is  a  timed  execution  of  (.4,  then  teA(a)  is  in  Q.  The  requirements 

automaton  B  is  time(A,{Uo<n}). 

By  Theorem  5.4  all  we  need  to  do  is  to  show  a  strong  possibilities  mapping  from  time(A,b) 
to  B.  The  complete  formal  proof  appears  in  the  next  section. 

6.3  The  Intermediate  Requirements  Automata 

One  way  of  proceeding  would  be  to  exhibit  a  strong  possibilities  mapping  directly  from 
time(A,b)  to  B,  following  the  pattern  of  the  first  example.  However,  an  alternative  and 
attractive  strategy  might  be  based  on  the  recursive  structure  of  the  line  of  processes.  For 
instance,  one  might  give  a  recursive  analysis  of  the  time  between  any  SIGNALk,0  <  k  <  n  -  2 
and  SIGNALn  in  terms  of  the  time  between  SIGNALk+i  and  SIGNALn ■  Thus,  the  analysis 
would  be  based  on  recurrence  inequalities.  Several  examples  of  such  recurrence  inequality  anal¬ 
yses  (for  upper  bounds  only)  appear  in  [LG89];  the  analysis  of  the  Peterson- Fischer  ([PF77]) 
tournament  algorithm  in  [LG89,  p.  26-30]  is  a  particularly  good  example  of  this  proof  style. 

Recurrence  inequality  proofs,  however,  have  an  “operational”  style  that  is  very  different 
from  the  assertions!  style  we  are  describing  here.  We  would  like  to  be  able  to  utilize  the  power 
of  the  recurrence  analysis  within  our  assertions!  framework.  In  order  to  do  this,  instead  of 
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proceeding  to  show  directly  that  every  schedule  of  time(A,b )  is  a  schedule  of  B  by  a  strong 
possibilities  mapping,  we  proceed  using  a  hierarchy  of  intermediate  requirements  automata. 
Each  intermediate  requirements  automaton,  Bk,  includes  the  same  timing  conditions  as  are 
given  by  the  boundmap  b,  for  partition  classes  SIGNALq,  SIGNALk,  plus  a  new  timing 
condition  that  provides  bounds  on  the  time  between  SIGNALk  and  a  subsequent  SIGNALn. 
The  recursive  argument  described  above,  expressing  the  time  between  SIGNALk  and  SlGNALn 
in  terms  of  the  time  between  SIGNALk+\  and  SIGNALn,  is  then  captured  formally  by  a  strong 
possibilities  mapping  from  Bk  to  Bk+i- 

In  this  subsection,  we  define  the  intermediate  automata. 

First,  for  every  k,  0  <  k  <  n  —  1,  we  define  a  timing  condition  stating  that  the  time  between 
SIGNALk  and  SIGNALn  (if  SIGNALk  occurs)  is  in  the  interval  [(n  —  k)di,{n  -  k)d2]-  (In 
particular,  the  condition  will  imply  that  each  SIGNALk  is  actually  followed  by  a  corresponding 
SIGNALn).  When  k  =  n  —  1,  this  condition  will  be  the  same  as  the  timing  condition  assigned 
by  the  boundmap  6  to  the  class  containing  SIGNALn.  On  the  other  hand,  when  k  =  0,  this 
condition  is  the  same  as  the  condition  Uo<n  previously  defined,  i.e.,  the  timing  condition  we 
wish  to  prove. 

Formally,  for  any  0  <  k  <  n  —  l,10  we  define  the  following  timing  condition,  Uk,n  = 
(0,7fc,„)  6^"  (IIjt.T*,  0),  where 

•  Tk<n  =  {(s',x,s)  €  steps(A)  :  x  =  SIGNALk }, 

•  h,n  =  [(ft  -  k)  ■  diy  (n  -  k)  ■  d2\,  and 

•  n*,n  =  {SIGNALn}. 

For  any  k,0  <  k  <  n  -  1,  let  Uk  be  the  set  of  timing  conditions  that  includes  Uk, n  a-nd  the 
conditions  assigned  by  boundmap  b  to  the  partition  classes  SIGNAL0, ...,  SIGNALk-  Let  Bk 
denote  the  I/O  automaton  time{A,lik)- 

In  the  next  subsection,  we  will  show  the  existence  of  a  strong  possibilities  mapping  from 
Bk  to  Bk- 1,  for  every  k,  1  <  k  <  n  —  1.  This  implies  that  there  is  a  strong  possibilities 
mapping  from  Bn~i  to  Bq.  Moreover,  there  is  a  trivial  strong  possibilities  mapping  from  Bo  to 
the  requirements  automaton  B  (which  just  ignores  the  timing  conditions  associated  by  b  with 
the  partition  class  SIGNALq ).  Similarly,  there  is  a  trivial  strong  possibilities  mapping  from 
time(A,b)  to  Bn-\  (which  simply  renames  the  state  components  associated  with  SIGNALn). 
Therefore,  this  mapping  proof  will  imply  the  existence  of  a  strong  possibilities  mapping  from 
time(A,b)  to  B. 

6.4  The  Mapping 

In  this  subsection,  we  fix  a  particular  value  of  k,  1  <  k  <  n  —  1,  and  show  the  existence  of  a 
strong  possibilities  mapping,  /*,  from  Bk  to  Bk- 1. 

10The  redefinition  of  Uo,n  is  consistent  with  the  prior  definition. 
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Recall  that  the  timing  conditions  included  in  Bk  are  those  for  (4,„,  SIGNALo, ...,  SIGNAL k 
and  NULL,  while  those  included  in  Bk~\  are  those  for  £4_i,n,  SIGNALo, ..., SIGN ALk-i  and 
NULL,  For  the  sake  of  convenience  we  denote  by  Ft(k,n)  (respectively,  Lt(k,n ))  the  Ft  (re 
spectively,  Lt)  component  of  the  state  of  Bk  that  is  associated  with  f4  „.  Also,  as  we  did  in 
our  construction  of  time(A,b),  we  denote  by  Ft(C )  (respectively,  Lt{C))  the  Ft  (respectively, 
Lt)  components  that  are  associated  by  the  boundmap  b  with  each  partition  class  C.  We  also 
use  the  notation  FLAG, ,  0  <  i  <  n,  to  denote  the  FLAG  component  of  Pt. 

Now  we  define  /*  so  that  a  state  u  g  states(Bk-i)  is  in  the  image  set  /t(s),  for  s  g 


states(Bk),  exactly  if  the  following  hold. 

s.Lt(k,n ) 

if  s.FLAG,  =  true 

u.Lt(k  -  1,  n) 

>  « 

s.Lt(SIGNALk)  +  (n  -  k)d2 

for  some  i,k  +  1  <  i  <  n 
if  s.FLAG*  =  true 

oo 

otherwise, 

and 

s.Ft(k,n) 

if  s.FLAG;  =  true 

u.Ft(k  -  l,n) 

<  < 

s.Ft(SIGNALk)  +  (n-  k)dr 

for  some  i,  k  +  1  <  i  <  n 
if  s.FLAG/t  =  true 

0 

otherwise. 

and  every  other  component  of  state  u  of  Bk- 1  is  equal  to  the  corresponding  component  of 
the  state  s;  notice  that  by  Lemma  6.1  if  FLAG*  =  true  then  FLAG,  =  false  for  all  i  ^  k, 
0  <  i  /  n,  thus  the  mapping  is  well  defined. 

Intuitively,  the  inequalities  give  upper  and  lower  bounds  for  the  time  of  the  next  SIGNALn 
event,  in  terms  of  the  values  of  the  variables  in  the  state  of  time(A,b).  For  example,  in  the  case 
of  the  upper  bound,  if  the  signal  has  already  propagated  past  process  Pk,  then  within  the  time 
that  is  stored  in  s.Lt(k,n),  a  SIGNALn  event  must  occur  (because  the  component  s.Lt(k,n) 
keeps  track  of  the  latest  time  at  which  a  SIGNALn  event  must  occur,  once  a  SIGNALk  event 
has  occurred).  If  the  signal  has  only  gotten  as  far  as  process  Pk,  however,  then  s.Lt[k,n) 
will  not  contain  any  useful  information,  so  an  alternative  bound  is  used.  In  this  case,  within 
time  s.Lt(SIGNALk),  a  SIGNALk  event  must  occur,  and  then  after  (n  —  k)  additional  signal 
propagation  steps,  each  taking  at  most  time  d2,  a  SIGNALn  event  must  occur.  The  lower 
bound  has  a  similar  meaning. 

The  proof  of  the  following  lemma  is  a  straightforward  case  analysis  and  it  appears  in 
Appendix  A. 

Lemma  6.2  If  1  <  k  <  n  —  1  then  the  mapping  fk  is  a  strong  possibilitie :  .  <  iping  from  Bk 
to  Bk- 1- 

By  considering  the  composition  f\  o  •  •  •  o  /„_  j  and  the  trivial  mappings  from  B0  to  B  and 
from  time(A,b)  to  Bn_ i,  we  obtain  the  following  corollary. 
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Corollary  8.3  There  exists  a  strong  possibilities  mapping  from  time(A,b)  to  B. 

Now  we  can  put  the  pieces  together. 

Theorem  8.4  All  timed  behaviors  of  ( A,b )  are  in  Q. 

Proof:  Let  0  be  a  timed  behavior  of  (A,b).  Let  a  be  a  timed  execution  of  (A,b)  such  that 
0  =  beh(a).  By  Corollary  6.3,  there  exists  a  strong  possibilities  mapping  from  time(A,b )  to 
time(A,{Uo,n})-  Thus,  by  Theorem  5.4,  a  is  a  timed  execution  of  (.4,  {#o,n})-  This  implies 
that  0  £  Q.  ■ 

7  Completeness 

Theorem  7.1  Let  ( A,b )  be  a  timed  automaton,  and  let  (A,  6)  be  the  dummification  of(A,b). 
LetU  be  a  set  of  timing  conditions  for  A.  Suppose  that  every  timed  execution  of(A,b )  satisfies 
U.  Then  there  is  a  strong  possibilities  mapping  from  time(A,b)  to  time{A,U). 

Proof:  The  following  technical  claim  is  used  many  times  in  the  proof. 

Claim  7.2  Let  a  be  an  infinite  execution]]]  of  time(  A,  b)  in  which  the  time  components  of  the 
actions  are  unbounded.  Then,  for  every  U  €U,  project(a)  satisfies  U. 

Proof:  Lemma  3.3  part  2  implies  that  project(a)  is  a  timed  execution  of  (A,  b).  By  Lemma  5.2 
part  1  undum(project(a))  is  a  timed  execution  of  (A,  6).  Thus,  by  the  assumption  of  the 
theorem,  undum(project(a ))  satisfies  U.  Then  Lemma  5.3  part  2  implies  that  project(a) 
satisfies  U .  m 

Before  defining  the  mapping,  we  introduce  a  few  preliminary  definitions.  Define  for  each  state 
s  of  time(A ,  b)  the  set  Ext(s)  to  be  the  set  of  infinite  execution  fragments  of  time(A,b )  starting 
with  s  in  which  the  time  components  of  the  actions  are  unbounded.  Since,  by  Lemma  5.1,  all 
timed  executions  of  (A,  6)  are  infinite,  there  is  at  least  one  such  fragment  starting  with  s,  for 
any  state  s  reachable  in  an  execution  of  timefA,b).  Thus,  the  set  Ext(s)  is  not  empty,  for  any 
state  s  reachable  in  an  execution  of  time(A,b). 

If  U  €  U  is  a  timing  condition  for  A,  then  let  U  be  the  dummification  of  U  as  defined 
above,  U  =  {T,tart(U),T,Up(U),b,  11(17),  S(U)).  Let  a  £  Ext{s)  be 

where  so  =  s,  and  let  to  =  s.Ct.  Define  firstg(a)  as  follows.  If  there  exists  j  >  0  such  that 
7 Tj  £  n(C)  or  Sj.As  £  S(U),  then  first^(a)  =  t,-  where 

i  =  min{j  >  0  |  £  II({/)  or  s;.As  £  5(^)}  . 
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Otherwise,  first^(a)  =  oo.  Intuitively,  this  is  the  first  time  an  action  from  n(Z7)  or  a  state  from 
S(U)  occurs  in  a  (if  at  all).  Let  t0  =  min{j  >  0  |  nj  £  n({/)}  (oo  if  there  is  no  7 Xj  £  II ({/)), 

and  let  =  min{j  >  0  |  Sj.As  £  S(U)}  (00  if  there  is  no  Sj.As  €  S(U)).  If  io  <  ii  then  define 

first  Jlfi(a)  =  U0 ,  otherwise,  first-IIfi(a)  =  00.  Intuitively,  this  is  the  first  time  an  action 
from  II (U)  occurs  before  a  state  from  S(U)  occurs  (if  at  all). 

We  now  define  the  mapping  /.  Let  s  be  a  state  reachable  in  an  execution  of  ( time(A,b )) 
and  let  u  €  states(time(A,U)).  Then  u  £  f(s )  if  the  following  hold  for  any  timing  condition 

ued. 

u.Lt(U )  >  sup{./jrs^(a)  |  a  €  Ext(s)}  (1) 

and  u.Ft(U)  <  inf  {first. II  ^(a)  \  a  £  Ext(s )}  (2) 

and  every  other  component  of  u  is  equal  to  the  corresponding  component  of  the  state  s.  We 
now  prove  that  /  is  a  strong  possibilities  mapping  from  time(A,b)  to  time(A,U).  Clearly,  it 
satisfies  Condition  3.  of  Definition  3.2. 

To  show  /  satisfies  Condition  1.  of  Definition  3.2,  let  so  be  a  start  state  of  time(A,b );  we 
have  to  show  that  there  is  a  start  state  uo  of  time(A,fi)  such  that  u0  €  /(so).  Let  uo  be  the 
unique  start  state  of  time(A,U )  with  so.As  =  ito-.As. 

We  check  the  inequalities  for  each  U  €  U  separately.  If  s0.^4s  £  T.tarfiUfi  then,  if  bu(U)  = 
00  then  u0.Lt(U)  =  00  and  inequality  (1)  for  U  is  trivially  satisfied.  If  bu(U)  <  00,  then,  for 
any  a  £  Ext(s0),  where 

a  =  so,0Mi),si,(7r2,t2),...  , 

Claim  7.2  implies  that  project(a)  satisfies  U,  and  hence  there  exists  j  >  0  with  tj  <  bu(U) 
such  that  either  £  11(17)  or  sj  £  S(U)  (Condition  1(a)  of  Definition  2.2).  Hence,  for  any 
a  £  Ext(s0),  firstfr(a)  <  bu(U).  By  the  definition  of  time(A,fi),  we  have  u0.Lt(U)  =  bu(U), 
so  inequality  (1)  for  U  is  satisfied. 

To  show  inequality  (2)  for  U,  note  that  for  any  a  £  Ext(so),  where 

Q  =  So,  (jT,  ti),  Si ,  (X2,  t2)>  •  •  •  » 

Claim  7.2  implies  that  project(a )  satisfies  U,  and  hence  if  there  exists  j  >  0  with  tj  <  b({U ) 
such  that  Tj  £  n(l7),  then  there  exists  k,0  <  k  <  j,  such  that  Sk-As  £  S(U )  (Condition  2(b) 
of  Definition  2.2).  Thus  first.II^(a)  >  bt(U )  =  u.Ft(U),  and  inequality  (2)  for  U  is  satisfied. 

If  sp.As  £  T,ttrt(U),  then  the  definition  of  time(A,d )  implies  that  uo.Ft(U)  =  0  and 
UQ.Lt(U)  =  00.  Thus,  inequalities  (1)  and  (2)  for  U  are  trivially  satisfied. 

Since  the  inequalities  are  satisfied  for  any  U  £U  we  have  u0  €  /(s0).  Thus,  we  have  shown 
that  /  satisfies  Condition  1.  of  Definition  3.2;  we  now  show  that  /  satisfies  Condition  2.  of 
Definition  3.2. 

Let  s'  be  a  reachable  state  of  time(A,b),  and  let  Qo, s'  be  an  execution  of  time(A,b).  Let 
u'  £  f(s').  Assume  (s' ,(ir,t),s)  is  a  step  of  time(A,b)\  we  have  to  show  that  there  exists  a 


27 


step  (u',(rr,t),u)  of  time{A,U)  such  that  u  G  /(s).  Let  u  be  the  state  of  time{A,U)  achieved 
by  applying  the  time£A,U)  definition  to  tt',  with  u.Ct  =  t  and  u.As  =  s.As.  Wo  check  the 
inequalities  for  each  U  G  U  separately,  and  there  are  two  major  cases: 

1.  *•  G  H(U).  We  first  need  to  show  that  u’ .Ft{U)  <t<  u’.Lt(U)  (so  that  (n,t)  is  enabled 
in  u').  If  s'. As  G  S(U)  then  also  v! .As  G  S(U )  and  by  an  earlier  observation  u' .Lt  =  oo, 
so  clearly  t  <  u'.Lt(U).  So  assume  s'. As  £  S(U)-,  by  the  induction  hypothesis, 

u'.Lt(U)  >  sup {firstfi(a)  |  a  G  Ext(s')} 

>  first tf(s',  (ir,  t),s,0) 

for  some  fi  G  Ext(s).  However,  since  s'. As  £  S(U)  it  follows  that  first^(s',  (n,  t),  s,/3)  >  t. 
Thus,  we  have  t  <  u’.Lt(U).  To  see  that  u'.Ft(U)  <  t,  notice  that  if  s'.As  G  S(U)  then 
u'.Ft(U)  =  0,  and  the  inequality  is  trivially  satisfied.  Otherwise,  by  the  induction 
hypothesis, 

u’.Ft(U)  <  inf  {first  JI  ^(a)  |  a  G  £it(s')} 

<  first. n~  (s',  (it, *),«,/?) 

for  some  fi  G  Ext(s).  Since  s'.As  #  S(U )  and  ir  G  II(t/),  first.IT jj(s' ,  (tt,  t),s,fi)  =  t. 
Thus,  u'.Ft(U)  <  t,  as  needed. 

We  now  show  that  inequalities  (1)  and  (2)  are  satisfied  for  U. 

If  (s'.As,  t,  s. As)  G  T,Uv{U ),  the  timing  condition  U  is  restarted.  Formally,  the  definition 
of  time(A,U)  implies  that  u.Lt(U)  =  t  +  6U(17)  and  u.Ft(U)  =  t  +  bt{U).  If  bu(U)  =  oo 
then  u.Lt(U)  =  oo  and  inequality  (1)  for  U  is  trivially  satisfied.  If  bu{U)  <  oo,  then,  for 
any  a  G  Ext(s),  where 

a  =  so,(7r,t1),s1,(7r2,t2),-..  , 

and  So  =  s,  Claim  7.2  implies  that  project(aooi)  satisfies  U ,  and  hence  there  exists  j  >  0 
with  <  t  +  bu(U)  such  that  either  Tj  G  H(U)  or  sj  G  S(U)  (Condition  1(b)  of  Definition 
2.2).  Hence,  for  any  a  G  Ext(s),  first^(a)  <  t  +  bu(U).  Since  u.Lt(U)  =  t  +  bu(U), 
inequality  (1)  for  U  is  satisfied. 

To  show  inequality  (2)  for  U,  note  that  for  any  a  G  Ext(s) 

a  =  30,(7r,tj),si,(x2,t2),...  , 

where  s0  =  s,  Claim  7.2  implies  that  projectja0a)  satisfies  U,  and  hence  if  there  exists 
j  >  0  with  tj  <  t  +  bf(U)  such  that  7r;  G  II({/),  then  there  exists  k,0  <  k  <  j,  such  that 
sfc  G  S{U)  (Condition  2(b)  of  Definition  2.2).  Thus  first.Ilg(a)  >  t  +  b({U )  =  u.Ft(U), 
and  inequality  (2)  for  U  is  satisfied. 

If  (s'.As,  7r, s.As)  £  T,ttp(U),  then  the  timing  condition  U  is  not  restarted,  and  its 
predictions  are  set  to  default  values.  Formally,  the  time(A,U)  definition  implies  that 
u.Lt{U)  =  oo  and  u.Ft(U)  =  0.  Thus,  inequalities  (1)  and  (2)  for  U  are  trivially  satis¬ 
fied. 
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2.  j r  £  II (U).  We  first  need  to  show  that  t  <  u'.Lt(U )  (so  that  (w ,t)  is  enabled  in  u').  If 
s'  .As  G  S(U)  then  also  u'  .As  G  5(t/^and  by  an  earlier  observation  u'.Lt  =  oo,  so  clearly 
t  <  u'.Lt(U).  So  assume  s'. As  &  S(U );  by  the  induction  hypothesis, 

u'.Lt(U)  >  sup {firstfi(a)  |  a  G  Ext(s')} 

>  firsts',  (n,t),s,(3) 

for  some  /?  G  Ext(s).  However,  since  s'. As  g?  S(U)  it  follows  that  first  fj(s',  (n,t),s,  0)>t. 
Thus,  we  have  t  <  u'.Lt(U). 

We  now  show  that  inequalities  (1)  and  (2)  are  satisfied  for  U . 

If  (s'. As,  ir,s.As)  G  T,tep(U),  then  the  timing  condition  U  is  restarted,  unless  it  was  al¬ 
ready  in  effect.  Formally,  the  definition  of  time(A,U)  implies  that  u.Lt(U )  =  m\n{u' .Lt{U),  t+ 
K(U)}  and  u.Ft(U )  =  t  +  bt(U).  Assume  u.Lt(U)  =  u'.Lt(U).  If  s'. As  G  S(U) 
then  also  u '.As  G  S(U)  and  by  definition  u'.Lt  =  oo,  and  inequality  (1)  for  U  is 
trivially  satisfied.  So  assume  s'. As  S(U)‘,  since  tt  £  11(17),  for  any  a  G  Ext(s), 
first fi(a)  =  firstfj(s',(ir,t),a).  Note  that  s',(ir,t),a  G  Ext(s').  Thus, 

sup{yirst^(a)  |  a  G  Ext(s)} 

=  &xip{firstfi(s' ,(x,t),a)  |  a  G  Ext(s)} 

<  aup{first^(a')  |  a'  G  Ext(s')} 

<  u'.Li(U) 

by  the  induction  hypothesis, 

=  u.Lt(U) 

as  needed.  If  u.Lt(U)  =  t  +  bu(U),  then  inequality  (1)  for  U  follows  as  in  Case  1. 
Inequality  (2)  for  U  follows  as  in  Case  1. 

If  s.As  G  S(U)  then  the  timing  condition  U  is  disabled.  Formally,  the  time(A,U)  def¬ 
inition  implies  that  u.Lt(U)  =  oo  and  u.Ft(U )  =  0.  Thus,  the  inequalities  for  U  are 
trivially  satisfied. 

Otherwise,  (s'. As, s.As)  £  Tttep(U )  and  s.As  £  S(U),  and  the  predictions  for  U  con¬ 
tinue  as  before.  Formally,  the  time(A,L Q  definition  implies  that  u.Lt(U)  =  u'.Lt(U) 
and  u.Ft(U)  =  u ' .Ft(U).  If  s'. As  G  S(U )  then  also  u' .As  G  S(U)  and  by  definition 
u'.Lt  =  oo,  and  inequality  (1)  for  U  is  trivially  satisfied.  So  assume  s'. As  £  S(U)\  since 
tt  £  H(U),  for  any  a  G  Ext(s),  first fi( a)  =  first^(s',(n,t),a).  Note  that  s',(n,t),a  G 
Ext(s').  Thus, 


8up{firstfi(a)  |  a  G  £i<(s)} 

=  8\ip{firstff(s',(ir,t),a)  |  a  G  Ext(s)} 

<  8up{firstff(a')  |  a'  G  £xt(s')} 

<  u'.Lt(U) 
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by  the  induction  hypothesis, 

=  u.Lt(U) 

as  needed.  Inequality  (2)  for  U  follows  as  in  Case  1. 

■ 

8  Conclusions  and  Further  Work 

In  this  paper  we  have  described  a  way  to  carry  out  assertional  proofs  for  timing  properties.  We 
have  shown  how  to  specify  an  algorithm  and  its  timing  assumptions,  as  well  as  its  performance 
requirements,  in  terms  of  timed  automata  and  timing  conditions.  We  have  shown  how  to 
convert  such  specifications  into  ordinary  (not  timed)  I/O  automata  by  building  predictive 
timing  information  into  the  automaton  states.  Then  the  goal  of  proving  timing  conditions 
can  often  be  met  by  demonstrating  the  existence  of  a  strong  possibilities  mapping  from  the 
automaton  corresponding  to  the  algorithm  (with  its  timing  assumptions)  to  the  automaton 
corresponding  to  the  performance  requirements. 

We  have  presented  two  examples  of  this  method.  The  first  is  the  analysis  of  the  rate  at  which 
a  simple  resource  manager  system  issues  grants;  the  second  is  the  analysis  of  the  propagation 
delay  of  a  signal  along  a  line  of  relay  processes.  The  second  example  also  illustrates  how  our 
method  can  be  applied  hierarchically,  in  a  way  that  corresponds  to  proofs  using  recurrences. 
We  have  shown  that  this  method  is  complete,  i.e.,  if  a  timed  I/O  automaton  satisfies  a  set  of 
timing  conditions  then  a  strong  possibilities  mappings  can  be  exhibited  between  the  appropiate 
automata. 

A  good  technique  for  proving  timing  properties  of  timing-dependent  or  asynchronous  sys¬ 
tems  should  be  rigorous,  simple  and  general.  Our  technique  is  certainly  rigorous,  and  we  think 
it  is  also  quite  simple.  Prior  work  on  proving  timing  properties  has  usually  had  an  operational 
style  much  like  that  of  liveness  proofs,  where  time  bounds  are  obtained  by  bounding  how  long 
it  takes  for  intermediate  milestones  to  occur.  (See  [LG89]  for  several  examples.)  In  contrast, 
the  method  presented  in  this  paper  has  an  assertional  style.  Such  a  style  seems  to  us  to  lead 
to  proofs  that  are  somewhat  simpler;  they  are  straightforward  to  generate  (although  they  may 
involve  analyzing  a  large  number  of  cases),  and  are  easier  to  check  -  in  fact,  proofs  of  the  sort 
we  have  given  in  this  paper  ought  to  be  machine- checkable  with  current  proof  technology. 

As  for  generality,  it  is  not  yet  clear  to  us  how  generally  applicable  this  method  will  be. 
It  is  quite  likely  that  the  specific  time(A,U)  construction  we  use  will  not  be  general  enough 
to  express  all  interesting  examples  of  performance  requirements.  For  example,  one  might 
want  to  consider  performance  requirements  that  specify  that  a  resource  manager  is  supposed 
to  respond  to  requests  as  long  as  they  do  not  arrive  too  far  apart  in  time  (see  the  “cement 
mixer”  example  in  [FG89]).  For  another  example,  one  might  want  to  consider  a  specification 
that  says  that  one  event  n  triggers  two  later  events,  <f>  and  0,  with  <f>  occurring  within  a 


certain  interval  of  time  after  ir  and  ip  occurring  within  a  certain  interval  of  time  after  <p.  Both 
of  these  examples  illustrate  more  complicated  requirements  than  can  be  expressed  directly 
as  timing  conditions.  It  may  be  possible  to  force  such  examples  to  fit  into  our  definitions 
by  adding  auxiliary  variables  or  actions;  alternatively,  it  may  be  necessary  or  desirable  to 
generalize  the  time(A,U)  construction  to  allow  more  general  kinds  of  timing  conditions.  If 
the  time(A,U)  construction  is  generalized,  then  we  would  hope  that  many  of  the  same  ideas, 
e.g.,  the  incorporation  of  predictive  timing  information  into  the  state  and  the  use  of  mappings 
that  take  the  form  of  inequalities,  will  still  be  useful.  Even  if  the  time(A,U )  construction  is 
generalized,  we  wonder  whether  there  is  a  single  generalization  that  will  cover  all  interesting 
examples.  We  leave  all  of  this  as  a  subject  for  future  work. 

It  remains  to  apply  this  technique  to  other,  more  complex  examples  than  the  ones  in  this 
paper.  One  particularly  good  example  to  try  is  the  full  tournament  mutual  exclusion  algorithm 
from  [PF77].  Its  prior  analysis  using  recurrences  suggests  that  it  may  be  a  good  candidate  for 
hierarchical  proof  as  in  our  second  example.  This  is  an  example  of  an  asynchronous  algorithm; 
good  sources  for  timing-dependent  algorithms  to  analyze  are  the  areas  of  real-time  computing 
and  communication. 

We  have  already  seen  how  our  method  cam  express  ideas  previously  expressed  using  recur¬ 
rences.  It  remains  to  see  how  our  technique  combines  with  other  methods  for  time  analysis 
such  as  methods  based  on  bounded  temporal  logic  (e.g.,  [BH81]).  Also,  it  remains  to  see  how 
proofs  using  our  techniques  can  be  applied  in  a  modular  way  for  the  verification  of  timing 
properties  of  large  and  complex  timing-based  systems. 
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A  Proofs  of  Lemmas 


A.l  Proof  of  Lemma  4.1 

Proof:  By  induction  on  the  length  of  an  execution  leading  to  s.  If  the  length  =  0,  then 
s.TIMER  =  k  >  0,  so  the  conditions  are  easily  seen  to  be  true.  So  suppose  that  (s',(x,t),s) 
is  a  step  of  time(A,  b),  where  s'  is  reachable  in  n  steps  and  the  conditions  are  true  for  s'.  We 
consider  cases. 

Case  1:  x  =  GRANT. 

Then  the  effect  of  GRANT  implies  that  s.TIMER  =  k  >  0,  which  implies  both  conditions. 
Case  2:  x  =  ELSE. 

The  precondition  of  ELSE  implies  that  s' .TIMER  >  0.  Since  s.TIMER  =  s'  .TIMER,  we 
also  have  s.TIMER  >  0,  which  implies  both  conditions. 

Case  3:  x  =  TICK. 

Suppose  that  s.TIMER  <  0,  Then  s'  .TIMER  =  0,  by  the  inductive  hypothesis.  The  induc¬ 
tive  hypothesis  also  implies  that  s'  .Ft(TICK)  >  s' .Lt(LOCAL)  +  c\  -  l.  Since  c\  >  l  (by  an 
assumption),  this  implies  that  s'  .Ft(TICK)  >  s' .Lt(LOCAL).  But  then  TICK  is  not  enabled 
in  s',  a  contradiction.  Thus,  s.TIMER  >  0,  showing  the  first  property. 

Now,  s.Ft(TICK)  =  t  +  ci  and  s.Lt(LOCAL)  <t  +  l.  This  implies  that 

s.Ft(TICK)  >  s.Lt(LOCAL)  +  cj  -  /, 

showing  the  second  property.  ■ 


A. 2  Proof  of  Lemma  4.3 

Proof:  We  begin  by  giving  an  explicit  description  of  B,  by  instantiating  the  general  definition 
of  time(A,U)  for  the  case  where  U  is  the  given  set  of  conditions.  We  use  this  explicit  description 
in  the  proof  below. 

Each  state  of  B  has  components  As,  holding  a  state  of  A,  plus  Ct,  Ft(G i),  Lt{G\),  Ft(G-i) 
and  Lt(Gi).  Each  initial  state  of  B  consists  of  an  initial  state  s  of  A,  plus  Ct  =  0,  plus 
Ft(Gi)  =  k  •  ci,  Lt(G\)  =  k  ■  c2  +  l,  Ft(G2)  =  0  and  Lt(G2)  =  oo.  If  (x,t)  is  an  action  of  B, 
then  (s',  ( x,t),s )  is  a  step  of  B  exactly  if  the  following  conditions  hold. 

1.  (s'. As,  x,s. As)  is  a  step  of  A. 

2.  s'.Ct  <  t  =  s.Ct. 

3.  If  x  =  GRANT  then 

(a)  s'.Ft(Gi)  <  t  <  s'.Lt(Gi)  and  s'.Ft(G2)  <  t  <  s'.Lt(G2), 
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(b)  s.Ft(G2)  =  t  +  k  •  ci  -  l  and  s.Lt(G2)  =  t  +  k  •  c2  +  /, 

(c)  s.Ft(Gi)  =  0  and  s.Lt(G2)  =  oo. 

4.  If  7r  =  ELSE  or  TICK,  then 

(a)  t  <  s'.Lt(Gi )  and  t  <  s'.Lt{G2 ), 

(b)  s.Ft(Gx)  =  s'.Ft{G\),  s.Lt(Gi)  =  s'.Lt{Gi),  s.Ft(G2)  =  s'.Ft(G2),  and  s.Lt(G2)  = 
s’.Lt(G2). 

Let  s  and  «  be  the  unique  start  states  of  time(A,b)  and  B,  respectively.  Then  s.TIMER  = 
k  >  0.  Also, 

min(u.Lt(Gi),u.Lt(G2))  =  k  •  c2  + 1  and  s.Lt(TICK)  =  c2. 

It  follows  that 

min(u.Xt(G’i),u.It(G2))  =  s.Lt(TICK)  +  (s.TIMER  -  l)c2  +  /. 

Furthermore, 

max(u.Ft(Gi),u.Ft(G2))  =  k-  c2  and  s.Ft(TICK)  =  cj, 

so  that 

max(u .Ft(Gi),u.Ft(G2))  =  s.Ft(TICK)  +  (. s.TIMER  -  l)ci- 
This  suffices  to  show  the  initial  condition. 

Now  consider  a  step  (s',  (*,*),  a)  of  time(A,b),  where  s'  is  a  reachable  state  of  time(A,b), 
and  suppose  that  v!  is  a  reachable  state  of  B  such  that  «'  £  /(s').  We  argue  that  (n,t)  is 
enabled  in  u'.  The  first  thing  we  must  show  is  that 

t  <  min(u'.it(<7i),u'.Lt(G2)). 

If  this  is  not  the  case,  then 

t  >  min(u'.Lt(Gi),u'.Lt(G2)). 

Since  s'  is  a  reachable  state  of  time(A,  b ),  Lemma  4.1  implies  that  s'. TIMER  >  0.  Then  since 
v!  £  /(s'),  it  follows  that  either 

mm(u'.Lt(Gt),u'.Lt(G2))  >  s'.Lt(TICK) 

or  vain(u'.Lt(Gi),u'.Lt(G2))  >  s'.Lt(LOCAL). 

Therefore,  either 

t  >  s'.Lt(TICK)  or  t  >  s'.Lt(LOCAL). 

Either  case  contradicts  the  operation  of  time(A,b). 

The  other  thing  we  must  show  is  that  if  t  =  GRANT,  then 

max(u/.irt(Gi),  u'.Ft(G2))  <  t  . 


Since  (GRANT, t)  is  enabled  in  s',  it  must  be  that  s’. TIMER  <  0,  and  Lemma  4.1  then 
implies  that  s'. TIMER  =  0.  Since  u'  €  f(s'),  we  have 

ma x(u'.Ft(G1),u'.Ft(Gi))  <  s'.Ct  . 


This  mea^s  that 

max(u'.Ft(Gi),u'.Ft(G2 ))  <  s'.Ct  <  s.Ct  =  t, 

as  needed. 

Now  we  consider  cases. 

Case  1:  ir  =  GRANT.  Then  define  u  so  that 

u.Ft(Gi)  =  0, 

u.Lt(G\)  =  oo, 
u.Ft(G2)  =  t  +  k  •  c\  -  l  and 
u.Lt(G2)  =  t  +  k  ■  c2  +  /. 

(Other  components  are  exactly  as  in  s.)  The  preconditions  already  checked  imply  that  (u',  (ir,  t),  u) 
is  a  step  of  B.  It  remains  to  show  that  u  €  }(s).  The  effects  of  the  GRANT  action  imply  that 
s.TIMER  =  k  >  0.  Thus,  we  must  show  that 

min (u.Lt(Gi),u.Lt(G2))  >  s.Lt(TICK)  +  ( s.TIMER  -  1  )c2  +  l 

and 

mzx(u.Ft(Gi),u.Ft(G2))  <  s.Ft(TICK)  +  ( s.TIMER  -  l)cj. 

To  see  the  first  inequality,  note  that 

s.Lt(TICK)  <t  +  c2 ; 


thus, 


s.Lt(TICK)  +  (s.TIMER -l)c3  + 1 
<  t  +  C2  +  (k  -  1)C2  +  l 
=  t  +  k  ■  C2  +  /, 

which  shows  the  first  inequality. 

To  see  the  second  inequality,  note  that  max(u.Ft(Gi),u.Ft(G2))  =  t  +  k  ■  a  -  1.  The 
definition  of  1ime(A,b)  implies  that 


s.Ct  <  s'.Lt(LOCAL). 
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Lemma  4.1  implies  that 


s'  .Ft(TICK)  >  s'.Lt(LOCAL)  +  Cl  - 

Therefore, 

s.Ft(TICK)  +  ( s.TIMER  -  l)cj  =  s'.Ft(TICK)  +  (s.TIMER  -  l)Cl 

>  s'.Lt(LOCAL)  +  ci  -  l  +  ( s.TIMER  -  1  )cx 

>  t  +  ci  —  l  +  ( s.TIM  ER  —  l)ci 
=  t  +  k  •  Cl  —  /, 

which  implies  the  second  inequality. 

Case  2:  7r  =  ELSE.  Then  define  u  so  that 

u.Ft(Gi)  =  u'.Ft(Gi), 

u.Lt(G  i)  =  u'.Lt(Gx), 
u.Ft(Gi)  =  u'.Ft^Gi),  and 
u  .Lt(G2)  =  t i'.Lt(G2). 

(Other  components  sure  exactly  as  in  s.)  The  preconditions  already  checked  imply  that  (u\  (x ,  t),  u) 
is  a  step  of  B.  It  remains  to  show  that  u  €  /(•*).  Since  (ELSE,t)  is  enabled  in  time(A,b),  we 
have  s'. TIMER  >  0.  Since  s.TIMER  =  s'. TIMER,  we  also  have  s.TIMER  >  0.  Thus,  we 
must  show  that 

min(«.Zt(Gi),u.Lt(G2))  >  s.Lt(TICK)  +  ( s.TIMER  -  1  )c2  +  /, 

and 

max(«./,t(Gi),u.Ft(G2))  <  s.Ft(TICK)  +  ( s.TIMER  -  l)ci. 

To  see  the  first  inequality,  note  that  the  inductive  hypothesis  implies  that 

Lt(Gi),u'.Lt(G2))  >  s'.Lt(TICK )  +  (s'. TIMER  -  1  )c2  +  l. 

But 

min(u.lt(Gi),u.Lt(G2))  =  min(u'.Lf(Gi),u'.Lt(G2)), 

and 

s.Lt(TICK)  =  a'.Lf(TICK). 

Therefore,  the  first  inequality  holds. 

To  see  the  second  inequality,  note  that  the  inductive  hypothesis  implies  that 
mnx(u'.Ft(Gi),u'.Ft(G2))  <  s'.Ft(TICK)  +  (s'. TIMER  -  1  )cj. 
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But 

max(u.Ft(Gi),u.Ft(G2 ))  =  max(u'..Ff(<S;i),u/..Ft((72)), 
and 

s.Ft(TICK)  =  s'.Ft(TICK). 

Therefore,  the  second  inequality  holds. 

Case  3:  7r  =  TICK.  Then  define  u  so  that 

u.Ft(Gi)  =  u'.Ft(G1), 
u.Lt(G\)  = 

u.Ft(G2 )  =  u'.Ft(G2),  and 
u.Lt{G2)  =  u'.Lt(G2). 

(Other  components  are  exactly  as  in  s.)  The  preconditions  already  checked  imply  that  (u\  (tt ,  t),  u ) 
is  a  step  of  B.  It  remains  to  show  that  u  €  /(s).  Note  that  s.TIMER  =  s'. TIMER  —  1. 
There  are  two  subcases  to  consider. 

1.  s.TIMER  >  0. 

Then  we  must  show  that 

min(u.Zt(Gi),u.I<(<?2))  >  s.Lt(TICK)  +  ( s.TIMER  -  1  )c2  +  /, 

and 

max(tt.Ft(Gi),u.Ft(G2))  <  s.Ft(TICK)  +  ( s.TIMER  -  l)cx. 

To  see  the  first  inequality,  note  that  the  inductive  hypothesis  implies  that 

min (u'.Lt(Gi),u'.Lt(G2))  >  s'.Lt(TICK)  +  (s'. TIMER  -  l)c2  +  /. 

But 

m\n(u.Lt(G\),u.Lt(G2 ))  =  min(u'.  Lt  (G  i),  u' .Lt(G  2)), 
s.Lt(TICK)  =  t  +  c2, 

and 

t  <  s'.Lt(TICK). 

Therefore,  we  have 

min(u.Lt(Gi),u.Lt(G2))  =  min(u'.Lt(Gi),u'.Lt(G2)) 

>  s'.Lt(TICK)  +  ( s'. TIMER  -  l)c2  +  / 

=  s'.Lt(TICK)  +  ((s.TIMER  +  1)  -  l)c2  +  l 
=  c2  +  s'.Lt(  TICK)  +  (s.TIMER  -  1  )c2  +  l 
=  s.Lt(TICK)  -  t  +  s'.Lt(TICK)  +  (s.TIMER  -  l)c2  +  /. 
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Since  the  definition  of  time(A,b)  implies  that 


s'.Lt(TICK)  >  t , 

the  first  inequality  follows. 

To  see  the  second  inequality,  note  that  the  inductive  hypothesis  implies  that 
ma xiu,.Ft(G1)tu,.Ft(G2))  <  a'.Ft(TICK)  +  ( s'.TIMER  -  l)cx. 

But 

max(u.Ft(Gi),u.Ff(G2))  =  max(u'.Ff(Gi),tt'..Ft(G2)), 

and 

s.Ft(TICK)  =  t  +  c\. 

Furthermore,  by  the  definition  of  time  (A,  b), 

t  >  s'.Ft(TICK). 

Hence, 

max(u.F’t(Gi),u.F<(G2))  =  max(u,.Ft(Gi),u>.Ft(G2)) 

<  s'.Ft(  TICK)  +  (. s'.TIMER  -  l)cx 
=  s'.Ft(TICK)  +  (( s.TIMER  +  1)  -  l)cx 
=  d  +  s'.Ft(TICK)  +  ( s.TIMER  -  l)ci 
^  cj  +  t  +  ( s.TIMER  —  l)cx 
=  s.Ft(TICK)  +  ( s.TIMER  -  l)c,, 

as  needed. 

2.  s.TIMER  =  0. 

Then  we  must  show  that 

min(u.if(Gi),u.if(G2))  >  s.Lt(LOCAL) 

and 

max(u.F1f(Gi),u.Ff(G2))  <  s.Ct. 

Note  that  s'.TIMER  =  1. 

To  Bee  the  first  claim,  note  that  s'.TIMER  >  0,  so  the  inductive  hypothesis  implies  that 

min(uMf(Gi),uM<(G2))  >  s'.Lt{TICK)  +  (s'.TIMER  -  l)c2  +  / 

=  s'.Lt(TICK)  + 1 


Furthermore,  note  that  the  definition  of  time(A,b)  implies  that 

t  <  s'.Lt(TICK). 


Hence 


min(u.Lt(Gi),u.Lt(G2))  = 

> 

> 

> 


min(u'  .Lt(Gi),u'  .Lt(G  2)) 
s’.Lt(TICK)  +  /. 
s'.Ct  + 1 
s.Lt(LOCAL), 


which  shows  the  first  claim. 

To  see  the  second  claim,  note  that  s'. TIMER  >  0,  so  the  inductive  hypothesis  implies 
that 


max(u'.Ft(Gi)y.Ft{G2))  <  s' .Ft(TICK)  +  (s' .TIMER  -  l)cx 

=  s'.Ft(TICK). 

Now,  s'.Ft(TICK)  <  t,  so  that 

max(u' .Ft(Gi),u' .Ft(G2))  <  t. 

But 


max(u.Ft(Gi),u.Ft(G2 ))  = 

< 


ma x(u'.Ft(G1),u'.Ft(G2)) 
t  =  s.Ct  , 


as  needed. 


A. 3  Proof  of  Lemma  0.2 

Proof:  We  begin  by  giving  an  explicit  description  of  Bk,  by  instantiating  the  general  defi¬ 
nition  of  time{A,U)  for  the  case  where  U  =  Uk •  We  use  this  explicit  description  in  the  proof 
below. 

Each  state  of  Bk  has  component  As ,  holding  a  state  of  A,  plus  Ct,  Ft(k,  n),  Lt{k,  n), 
Ft(SIGNALi)  and  Lt(SIGNALi),  for  every  t,  0  <  t  <  Ar,  Ft(NULL)  and  Lt(NULL).  Each  initial 
state  of  Bk  consists  of  an  initial  state  s  of  A,  plus  Ct  =  0,  Ft(NULL)  =  ni,  Lt(NULL)  =  n2, 
all  other  Ft  components  equal  to  0,  and  all  other  Lt  components  equal  to  00.  If  (x,t)  is  an 
action  of  Bk,  then  (s',(ff,£),s)  is  a  step  of  Bk  exactly  if  the  following  conditions  hold. 

1 .  (s'.  As,  t,  s./4s)  is  a  step  of  A. 
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2.  a'.Ct  <  t  =  s.Ct. 

3.  t  <  s'.Lt(k,n),  t  <  s'.Lt(SIGNALi)  for  all  t',0  <  *  <  k ,  and  t  <  s'.Lt(NULL), 

4.  If  tt  =  SIGNAL^,  for  0  <  t  <  k  -  1,  then. 

(a)  s' .Ft(SIGNALi)  <  t, 

(b)  s.Ft(SIGNALi)  =  0  and  s.Lt(SIGNALi)  =  oo, 

(c)  s.Ft(SIGNALi+ 1)  =  <  +  di  and  s.Lt(SIGNALi+i)  =  t  +  cf2>  a-nd 

(d)  s.Ft(k,n )  =  s'.Ft(k,n),  s.Lt(k,n)  =  s'.Lt(k,n),  and  s.Ft(C )  =  s'.Ft(C )  and 
s.Lt(C )  =  s’.Lt{C)  for  all  partition  classes  C  £  {SIGNAL^, SlGNALi+i}. 

5.  If  tt  =  SIGNALk ,  then 

(a)  s' .Ft(SIGNALk)  <  t , 

(b)  s.Ft(SIGNALk)  =  0  and  s.Lt{SIGNALk)  =  oo, 

(c)  s.Ft(k,n)  =  t  +  (n  ~  k)  •  di  and  s.Lt(k,n)  =  t  +  (n  —  k)  •  d?,  and 

(d)  s.Ft(C)  =  s'.Ft(C )  and  sdLi(C)  =  s'.Lt(C)  for  all  partition  classes  C  /  SIGNALk- 

6.  If  tt  =  SIGNALi,  for  Jb  +  1  <  *  <  »  —  1,  then 

(a)  s.Ft(k,  n)  =  s'.Ft(k,n),  s.Lt(k,n )  =  s'.Lt(k,n),  and  s.Ft(C )  =  s'.Ft(C)  and 
s.Lt{C)  —  s'.Lt{C)  for  all  partition  classes  C. 

7.  If  jt  =  SIGNALn,  then 

(a)  s'.Ft(k,  n)  <  t , 

(b)  s.Ft(k,n)  =  0  and  s.Lt(k,n)  =  oo. 

(c)  s.Ft(C)  =  s'.Ft(C)  and  s.Zt(C)  =  s'.Lt(C)  for  all  partition  classes  C. 

8.  If  jt  =  NULL  then 

(a)  s'.Ft(NULL)  <  t, 

(b)  s.Ft(NULL)  =  «i  and  s.Lt(NULL)  =  n2,  and 

(c)  s.Ft(k,n )  =  s'.Ft( k,n),  s.Lt(k,n )  =  s'.Lt(k,n),  and  s.Ft(C)  =  s'.Ft(C)  and 
s.Lt(C)  =  s'.Lt(C)  for  all  partition  classes  C  ^  NULL. 

The  description  of  Bk- 1  is  similar,  but  with  k  —  1  replacing  k.  We  now  present  the  proof 
of  Lemma  6.2.  Let  s  and  u  be  the  unique  start  states  of  Bk  and  Bk- 1»  respectively.  Then 
u.Lt(k  -  1,»)  =  oo  and  u.Ft(k  -  l,n)  =  0,  so  the  inequalities  clearly  hold,  implying  that 
u  €  fk(a). 

Now  consider  a  step  (s',(ir,t),s)  of  Bk,  where  s'  is  a  reachable  state  of  flfc,  and  suppose 
that  u'  is  a  reachable  state  of  Bk~\  such  that  u'  £  fk(s')-  We  first  argue  that  (tt, t)  is  enabled 
in  u'. 
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There  are  two  key  facts  that  we  must  show.  The  first  is  that 


t  <  u'.Lt(k  -  l,n). 

The  inductive  hypothesis  implies  that: 


u'.Lt(k-l,n)  > 


{s'.Lt(k,n)  if  s'. FLAG;  =  true 

for  some  i,k  +  1  <  i  <  n 

s'.Lt(SIGNALk)  +  (n  -  k)d2  if  s'.FLAG*  =  true 
oo  otherwise, 


First  suppose  that  u'.Lt(k- l,n)  >  s'.Lt(k,  n);  then  since  (x ,t)  is  enabled  in  s',  it  must  be  that 
t  <  s’.Lt(k,n).  Thus,  t  <  u'.Lt(k  -  l,n)  in  this  case.  Second,  suppose  that  u'.Lt(k  -  l,n)  > 
s'.Lt(SIGNALk)  +  (n  —  k)d2  >  s'.Lt(SIGNALk).  Since  (7r,  t)  is  enabled  in  s',  it  must  be  that 
t  <  s'.Lt(SIGNALk).  Therefore,  t  <  u'.Lt(k  —  l,n)  in  this  case.  The  only  remaining  case  is 
that  u'.Lt(k  —  l,n)  =  oo,  in  which  case  the  condition  clearly  holds. 

The  second  key  fact  to  show  is  that  if  it  =  SIGNALn,  then 

t  >  u'.Ft(k  —  l,n). 


So  suppose  that  jt  =  SIGNALn.  Since  ir  is  enabled  in  s',  it  must  be  that  s'.FLAGn  =  true. 
Since  u'  €  /fc(a'),  s'.FLAG*  =  true,  and  k  <  n,  the  definition  of  /*  implies  that 

u'.Ft(k  —  l,n)  <  s'.Ft(k,n ) 

But  t  >  s'.Ft(k,n )  since  (ir,  t)  is  enabled  in  s'.  Therefore,  t  >  u'.Ft(k  -  l,n),  as  needed. 

Thus,  (x,t)  is  enabled  in  u'.  To  complete  the  proof,  we  must  show  that  (for  s',  u'  and 
7r  as  described  above)  there  exists  a  state  u  of  Bk~\  such  that  («',  (jr,<),u)  is  a  step  of  Bk-\ 
and  u  6  fk(s)-  We  define  it  to  be  the  unique  state  defined  by  u.As  =  s.As  and  Ft  and  Lt 
components  as  implied  by  the  construction  of  Bk- 1,  such  that  (u',(ic,t),u)  is  a  step  of  Bk- 1; 
it  remains  to  show  that  u  €  /fc(s).  We  consider  cases. 

Case  1:  7r  =  SIGNALi,  for  0  <  t  <  k  -  2. 

Then  u.Ft(k  —  1,  n)  =  0  and  u.Lt(k  —  1,  n)  =  oo,  which  immediately  imply  the  inequalities. 
Also,  since  u.Ft(SIGNALi)  =  s.Ft(SIGNALi)  =  0  and  u.Lt(SIGNALi)  =  s.Lt(SIGNAL,)  = 
oo,  and  all  components  of  u'  other  than  u'.Ft(k  -  l,n)  and  u'.Lt(k  —  l,n)  have  the  same 
value  as  the  corresponding  components  of  s',  it  follows  that  all  components  of  u  other  than 
u.Ft(k  -  l,n)  and  u.Lt(k  -  l,n)  have  the  same  value  as  the  corresponding  components  of  s. 
Therefore,  u  G  fk(s). 

Case  2:  7r  =  SIGNALk- 1. 

Then 


u.Lt(k-l,n)  =  t  +  (n  -  (k  -  l))d2  =  t  +  (n  -  k  +  l)d2. 
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u.Ft(k-  l,n)  =  t  +  (n  -  (k  -  l))di  =  t  +  (n  -  k  +  l)di, 
s.Lt(SIGNALk)  =  t  +  d2, 
s.Ft(SIGNALk)  =  t  +  di, 
and  a. FLAG*  =  true. 

Thus  we  have 

u.Lt{k  —  1,  n)  =  t  +  (n  -  k  +  1)^2  =  t  +  d2  +  (n  -  k)d2  =  s.Lt(SIGNALk)  +  (n  -  k)d2 

and 

u.Ft(k  —  l,n)  =  t  +  (»  —  k  +  l)di  =  t  +  di  -f  (n  —  k)di  =  s.Ft(SIGNALk)  +  (n  —  k)d\. 

This  implies  the  inequalities.  The  equivalence  of  corresponding  components  of  u  and  s  is 
straightforward,  as  in  Case  1. 

Case  3:  ir  =  SIGNALk • 

Then 

u.Lt(k  -  l,n)  =  u'.Lt(k  -  l,n), 
u.Ft(k  -  l,n)  =  u'.Ft(k  -  l,n), 
s.Lt(k ,  n)  =  t  +  (n  -  k)d2, 
s.Ft(k,n)  =  t  +  (n-k)di, 
s’ .FLAG  k  =  true, 
and  s.FLAGt+i  =  true. 

Since  s.FLAGk+i  =  true,  the  inequalities  we  need  to  show  are: 

u.Lt(k  —  l,n)  >  s.Lt(k,n)  and  u.Ft{k  -  l,n)  <  s.Ft(k,n). 

For  the  upper  bound, 

u.Lt(k  —  1, »)  =  u'.Lt(k  -  l,n) 

>  s'.Lt{SIGNALk)  +  (n  -  k)d2 

since  u'  €  /*(s')  and  a'.FLAG*  =  true, 

>  t  +  (n  -  k)d2 

since  t  <  s'.Lt(SIGNALk)  by  the  fact 
that  (t,I)  is  enabled  in  s', 

=  s.Lt(k,n). 


43 


For  the  lower  bound  we  get,  using  similar  reasoning, 


u.Ft(k  -  l,n)  =  v!.Ft(k  —  l,n) 

<  s'.Ft(SIGNALk )  +  (n  -  k)dx 

<  t  +  (n-  k)dx 
=  s.Ft(k,n). 

The  equivalence  of  corresponding  components  of  u  and  s  is  again  straightforward. 

Case  4:  7T  =  SIGNALi ,  for  k  +  1  <  t  <  n  —  1. 

This  step  does  not  change  any  Ft  or  Lt  component  of  either  Bk  or  Bk~ i-  Thus,  the 
inequalities  and  equivalences  are  all  preserved. 

Case  5:  7T  =  SIGNALn. 

Then  u.Lt(k  -  l,n)  =  cxd  and  u .Ft(k  -  l,n)  =  0,  so  that  the  inequalities  are  immediate; 
the  equivalences  are  again  straightforward. 

Case  8:  it  =  NULL. 

This  step  does  not  change  any  of  the  Ft  or  Lt  components  involved  in  the  inequalities,  so 
that  the  inequalities  are  preserved.  Since  the  only  changes  to  Ft  and  Lt  components  made  by 
this  step  are  to  set  u.Ft(NULL)  =  s.Ft(NULL)  =  t  +  nx  and  u.Lt(NULL)  =  s.Lt(NULL)  = 
t  +  n2,  the  equivalences  are  again  straightforward.  ■ 
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